From owner-freebsd-pf@FreeBSD.ORG Mon Nov 19 22:54:10 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id EBB6275D for ; Mon, 19 Nov 2012 22:54:09 +0000 (UTC) (envelope-from kevin.wilcox@gmail.com) Received: from mail-da0-f54.google.com (mail-da0-f54.google.com [209.85.210.54]) by mx1.freebsd.org (Postfix) with ESMTP id B4C178FC0C for ; Mon, 19 Nov 2012 22:54:09 +0000 (UTC) Received: by mail-da0-f54.google.com with SMTP id n2so241470dad.13 for ; Mon, 19 Nov 2012 14:54:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=zeEYhrgeHiVUkW5O1Pw713TGtQW9GfJMp2sKawypAZ8=; b=J/yOR4LMmY2oKXXAhf67cjU3p/zWuIcON650HTJSE9WQ9ZbWRV2zOwdLvoRx+wU771 h2j27xRCMPyhMB6HEWtD/g2riyeZllW372b+a7k8ZxMsBUZHS0V9gLGmJQlxt0anlKAz iuA5FonHHs3XHDJ7XVKPAsOPO4gBxX+eRV+Mz5hAnrVoka5Ot1u4jyUHF3jcI9EFBc4N Vz+DzXeNoneue7A7lopro8HEm027qqx3WvKVGp+1IMW25JKMc4zJPNNNmxCsPz9725Ic ouEeau9lqoQ9nlT0n45sSxpEQzs5wvPwlduSpstyGdp8sevOIwvwgbeLUI79yQ9f8jAY mDlQ== MIME-Version: 1.0 Received: by 10.66.81.97 with SMTP id z1mr2049541pax.19.1353365648287; Mon, 19 Nov 2012 14:54:08 -0800 (PST) Received: by 10.68.8.2 with HTTP; Mon, 19 Nov 2012 14:54:07 -0800 (PST) Received: by 10.68.8.2 with HTTP; Mon, 19 Nov 2012 14:54:07 -0800 (PST) In-Reply-To: References: Date: Mon, 19 Nov 2012 17:54:07 -0500 Message-ID: Subject: Re: Routing return NAT traffic based on interface From: Kevin Wilcox To: Peter McAlpine Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Nov 2012 22:54:10 -0000 On Nov 19, 2012 3:12 PM, "Peter McAlpine" wrote: > > Thanks for your reply. I've tried the configuration you suggested but > it's providing the same issue I was encountering before. > > My goal is to route all traffic from the tunnel out the external > interface nat'ing it on the way out. Any traffic coming in on the > external interface should be un-nat'd (if applicable), then sent back > down the tunnel unless it's destined for the external interface's IP > (post-un-nat). > > Is such a configuration possible with PF? It is. The "pass in" rule I used in my example assumes the inside interface and the other devices it talks to are in the same network. If you want to pass anything that interface sees, change the rules so that they accept traffic from any IP range : "from $int_if:network to any" becomes "from any to any". I have a couple of routers that pass traffic for 10.x.y.z but their inside IPs are 172.16.a.b addresses and they were configured much the same way in early testing, before filters were added. If changing the rule to pass everything doesn't square you away, a network diagram may be useful (as would me actually looking at my pf configs). kmw