From owner-freebsd-questions  Sun Sep  8 13:35:24 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B989A37B400
	for <freebsd-questions@FreeBSD.ORG>; Sun,  8 Sep 2002 13:35:19 -0700 (PDT)
Received: from tzone.it (ns.tzone.it [212.97.49.90])
	by mx1.FreeBSD.org (Postfix) with SMTP id 5049543E42
	for <freebsd-questions@FreeBSD.ORG>; Sun,  8 Sep 2002 13:35:17 -0700 (PDT)
	(envelope-from emmekappa@openbeer.it)
Received: (qmail 93316 invoked by uid 85); 8 Sep 2002 20:35:19 -0000
Received: from host63-83.pool80116.interbusiness.it (HELO openbeer.it) (80.116.83.63)
  by ns.tzone.it with SMTP; 8 Sep 2002 20:35:17 -0000
Message-ID: <3D7BB458.5020308@openbeer.it>
Date: Sun, 08 Sep 2002 22:34:32 +0200
From: emmekappa <emmekappa@openbeer.it>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0.0) Gecko/20020907
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: freebsd-questions@FreeBSD.ORG
Subject: NAT and openvpn
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: Controllo anti virus effettuato da TZone.IT
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Hello,
    I use a FreeBSD 4.7-PRERELEASE as gateway, it forward all packet 
from the lan to internet, to do this I've simply added "enable nat" to 
my ppp.conf. Yesterday I've installed openvpn (v1.3.1) from ports, 
after, I try to NAT all traffic (to the class 1.0.0.0) from my lan to 
the new interface upped by openvpn. I try to explain me better:

gateway# uname -a
FreeBSD thegate 4.7-PRERELEASE FreeBSD 4.7-PRERELEASE #1: Sun Sep  8 
01:40:12 CEST 2002

gateway# openvpn --config openvpn-server.conf
/*...blahblah...*/
add net 1.0.0.0: gateway 192.168.5.1 /* 192.168.5.1 is the remote 
computer, I'm 192.168.5.2 */
86: GID set to nobody
87: UID set to nobody
88: Peer Connection Initiated with .... /* ok now the client is connected */

gateway# ifconfig tun2
tun2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1255
        inet6 fe80::250:fcff:fe3b:394c%tun2 prefixlen 64 scopeid 0xa
        inet 192.168.5.2 --> 192.168.5.1 netmask 0xffffffff
        Opened by PID 433

gateway# ping 192.168.5.1
(10:05 PM) root@thegate </etc/openvpn> # ping 192.168.5.1
PING 192.168.5.1 (192.168.5.1): 56 data bytes
64 bytes from 192.168.5.1: icmp_seq=0 ttl=255 time=76.410 ms
64 bytes from 192.168.5.1: icmp_seq=1 ttl=255 time=75.324 ms

gateway# route add 1.0.0.0 192.168.5.1

gateway# ping 1.108.172.33
PING 1.108.172.33 (1.108.172.33): 56 data bytes
64 bytes from 1.108.172.33: icmp_seq=0 ttl=248 time=81.860 ms
64 bytes from 1.108.172.33: icmp_seq=1 ttl=248 time=90.273 ms
/* ok, the vpn seem to be ok.. now, some test with tcp */

gateway# lynx 1.108.172.33
/* ok, I can see the page */

/* now the rule for ipnat */
map tun2 from 192.168.0.0/16 to any -> 192.168.5.2/32

gateway# ipnat -l
List of active MAP/Redirect filters:
map tun2 from 192.168.0.0/16 to any -> 192.168.5.2/32

List of active sessions:

/* another computer... */
notebook$ ping 192.168.5.1
PING 192.168.5.1 (192.168.5.1): 56 octets data
64 octets from 192.168.5.1: icmp_seq=0 ttl=254 time=75.8 ms
64 octets from 192.168.5.1: icmp_seq=1 ttl=254 time=77.2 ms

notebook$ ping 1.108.172.33
PING 1.108.172.33 (1.108.172.33): 56 octets data
64 octets from 1.108.172.33: icmp_seq=0 ttl=247 time=95.5 ms
64 octets from 1.108.172.33: icmp_seq=1 ttl=247 time=78.1 ms
/* all ok! */

notebook$ lynx 1.108.172.33
/* uhm?! lynx just say: "HTTP request sent; waiting for response." */

notebook$ telnet 1.108.172.33 80
Trying 1.108.172.33...
Connected to 1.108.172.33.
Escape character is '^]'.
GET /
/* nothing... */

noemmekappa@nrdbook:~$ telnet 1.108.172.33 80
Trying 1.108.172.33...
Connected to 1.108.172.33.
Escape character is '^]'.
blahblah /* just a test:PP */
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>501 Method Not Implemented</TITLE>
</HEAD><BODY>
<H1>Method Not Implemented</H1>
....
/* uhm?! very strange! */

gateway# ipnat -l
(10:30 PM) root@thegate </etc/openvpn> # ipnat -l
List of active MAP/Redirect filters:
map tun2 from 192.168.0.0/16 to any -> 192.168.5.2/32

List of active sessions:
MAP 192.168.0.2     32814 <- -> 192.168.5.2     32814 [1.108.172.33 80]
/* it seem ok! */
---

I really don't know how to fix it! I don't think that this is a problem 
of ipnat... maybe with openvpn... or maybe I wrote a bad nat rule:). I 
don't know! plese help me!:)

bye!

- emmekappa


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message