From owner-freebsd-pf@freebsd.org Wed Nov 13 21:31:40 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C0A501BC510 for ; Wed, 13 Nov 2019 21:31:40 +0000 (UTC) (envelope-from pestaub@gmail.com) Received: from mail-vk1-xa2a.google.com (mail-vk1-xa2a.google.com [IPv6:2607:f8b0:4864:20::a2a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 47CyVM1cW8z43S0 for ; Wed, 13 Nov 2019 21:31:39 +0000 (UTC) (envelope-from pestaub@gmail.com) Received: by mail-vk1-xa2a.google.com with SMTP id 70so944842vkz.8 for ; Wed, 13 Nov 2019 13:31:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=staub-us.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=sHgpVFqUxSrLdsUGK1vNNPadUjInkAwFHUr+XCwO5sg=; b=Q2ibiAgPIYIUNHjbUHNTRZ/a9JTW0HrzVEJQTSVtn8dCXfn3RfG2lq+onaASLkEfSf aWU1QYdte+33pU63CYaxrUrbadc4MykPdNE5iesKC9Jh1AKQIvdjw336PVI/aDhcijZM DuyJ7wt18aa+q+0Bqym2K69M1MURe+E4gTJjP61YJH6N/qAeCOo79vbErAkHqCN5+aW7 2U9WRb6zWpyjTNYRXoEIWQNc5cGXgxcQ4sLQo0N6e3JfZ6RnwV9a/mEyfR0st2l9ID/K 0o2JcSY/T6vwsju0c5VE1DLVw5UA+IipOMDCJbjkWyyipTIU2/DNh2+rS6jUVehwBRQH 9srA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=sHgpVFqUxSrLdsUGK1vNNPadUjInkAwFHUr+XCwO5sg=; b=nv0LO++c4smyZKRsZKSLODE+e+HPywNQ4v2LxizwX+x1prlapb38NeSAMKPK12cwBP 7sfd5Y7MlUCIS1fkd8gNKujJSFy+B6KJ87HqZ+XKjgi33k9umMTO1YqX2vcSLlAW1NEI Vh7StE4s1VwG6kD2f9cis8mDOAJhzNdUl3nzPrQbVJo+cXMz8yeisnBBkQU5WaQcrQwm f+x7CCJZ5IWRK0kUbw80I9DfjruV3eW/7Pc9JpMeQeb+mksRagNAcox2lZEEreADm0/l DCUX5pjhJt8sdAfdVnPivUK8Nx+1M9y4cQt0SJNHdeCz7plFzmui9j6Ihm2dt8HofWyR P7tg== X-Gm-Message-State: APjAAAWlBksHcf6KTVyzain6AxkxV2wHhYKAwl4JZFzNMXmSd++vPd/1 d+1jRGfeqlnLaq1yy980/aWxBKKW5nLcMrG4WV2X0PzKFrg= X-Google-Smtp-Source: APXvYqz7b5huVIYxmdQfi9y4g1PiiZhxoGjwrXKA8LUfaoDzhK0vfmK02McjQiXq93HLDedVzljo7Hee1k9mSipSlN8= X-Received: by 2002:a1f:2556:: with SMTP id l83mr3012310vkl.77.1573680697577; Wed, 13 Nov 2019 13:31:37 -0800 (PST) MIME-Version: 1.0 References: <0b13ae53-b211-ad2c-1447-225860f73d3a@pp.dyndns.biz> <8ba7182d-8c4e-e10e-467b-6cf447490151@pp.dyndns.biz> <5fce41df-37fb-fc8c-be80-f47dfd0d04ad@pp.dyndns.biz> In-Reply-To: <5fce41df-37fb-fc8c-be80-f47dfd0d04ad@pp.dyndns.biz> From: Phil Staub Date: Wed, 13 Nov 2019 16:31:00 -0500 Message-ID: Subject: Re: NAT for use with OpenVPN To: =?UTF-8?Q?Morgan_Wesstr=C3=B6m?= Cc: freebsd-pf@freebsd.org X-Rspamd-Queue-Id: 47CyVM1cW8z43S0 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=staub-us.20150623.gappssmtp.com header.s=20150623 header.b=Q2ibiAgP; dmarc=none; spf=pass (mx1.freebsd.org: domain of pestaub@gmail.com designates 2607:f8b0:4864:20::a2a as permitted sender) smtp.mailfrom=pestaub@gmail.com X-Spamd-Result: default: False [-2.98 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[staub-us.20150623.gappssmtp.com:s=20150623]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; DMARC_NA(0.00)[staub.us]; URI_COUNT_ODD(1.00)[9]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[staub-us.20150623.gappssmtp.com:+]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[a.2.a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; HTTP_TO_IP(1.00)[]; IP_SCORE(-2.78)[ip: (-9.52), ipnet: 2607:f8b0::/32(-2.33), asn: 15169(-1.99), country: US(-0.05)]; FORGED_SENDER(0.30)[phil@staub.us,pestaub@gmail.com]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; FROM_NEQ_ENVFROM(0.00)[phil@staub.us,pestaub@gmail.com]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Nov 2019 21:31:40 -0000 On Wed, Nov 13, 2019 at 4:13 PM Morgan Wesstr=C3=B6m < freebsd-database@pp.dyndns.biz> wrote: > > |iptables --table nat --append POSTROUTING --out-interface eth0 -j > > MASQUERADE > > As I understand iptables, this is the normal/only way to provide NAT for > any subnet. > > > ||One of the comments in another tutorial I was reading says that the > > MASQUERADE rule is resource intensive, but if I understand it correctly= , > > the only alternative would be to put a specific rule in place for each > > client. I don't think I want to do that > > I wonder what their reference was. When you're using iptables you only > have MASQUERADE to chose from. Even my 20 year old Netgear RT-314 did > NAT without problems... > See my follow up message. It's the SNAT directive. The tutorial I was looking at was https://www.karlrupp.net/en/computer/nat_tutorial > > > ||Comments? > > Well, I am concerned we couldn't identify what mechanism was responsible > for the already working NAT for 192.168.1.0/24. We wouldn't want to end > up with two competing mechanisms activated at the same time and the rule > you added will provide NAT for 10.8.0.0/24 as well as 192.168.1.0/24 - > the latter which was already working. > True enough. > There should be init scripts on that router to start all services. Maybe > they can give a clue on what's going on and how Netgear choses to > activate their services. > This thing seems to have a very convoluted startup. Not at all like most Linux systems I've seen. The file I found where they had added some rules was definitely not where I expected it to be, and there are no MASQUERADE commands in it. > > Whatever you do, just verify that the router's admin interface is not > accessible from the Internet after you've added your rules! > Definitely. I assume the way to test that would be to attempt to access my router from the outside the same way I would when I log in from the inside. Phil > /Morgan > _______________________________________________ > freebsd-pf@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >