From owner-freebsd-pf@freebsd.org  Tue Mar 17 12:54:03 2020
Return-Path: <owner-freebsd-pf@freebsd.org>
Delivered-To: freebsd-pf@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 85C892651DF
 for <freebsd-pf@mailman.nyi.freebsd.org>; Tue, 17 Mar 2020 12:54:03 +0000 (UTC)
 (envelope-from artem@viklenko.net)
Received: from alf.viklenko.net (alf.viklenko.net [IPv6:2001:470:71:d72::61])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
 bits)) (Client CN "www.viklenko.net",
 Issuer "Let's Encrypt Authority X3" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 48hY5P5jqgz456l
 for <freebsd-pf@freebsd.org>; Tue, 17 Mar 2020 12:54:01 +0000 (UTC)
 (envelope-from artem@viklenko.net)
Received: from [IPv6:2001:470:71:d72:69ba:4e9a:8726:172a]
 ([IPv6:2001:470:71:d72:69ba:4e9a:8726:172a]) (authenticated bits=0)
 by alf.viklenko.net (8.15.2/8.15.2) with ESMTPSA id 02HCrs1B003846
 (version=TLSv1.2 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
 Tue, 17 Mar 2020 14:53:57 +0200 (EET)
 (envelope-from artem@viklenko.net)
Subject: Re: PF + IPsec
To: Cristian Cardoso <cristian.cardoso11@gmail.com>
Cc: freebsd-pf@freebsd.org
References: <CAKeEC-LqP-dAFCeSkCnMLU-Qw-j0KxOXLQSmQzX2poLTKZ2W0Q@mail.gmail.com>
 <4c936163-f77b-3fe1-56be-8f6967add0ef@viklenko.net>
 <CAKeEC-JsPwx=9GcbsN5xtV2COQU8S46jjeBUNaQrRNao495cDQ@mail.gmail.com>
From: Artem Viklenko <artem@viklenko.net>
Organization: Art&Co.
Message-ID: <59961b63-a5b8-e0e6-55de-76ab9c43763c@viklenko.net>
Date: Tue, 17 Mar 2020 14:53:54 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.5.0
MIME-Version: 1.0
In-Reply-To: <CAKeEC-JsPwx=9GcbsN5xtV2COQU8S46jjeBUNaQrRNao495cDQ@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.2
 (alf.viklenko.net [IPv6:2001:470:71:d72:0:0:0:61]);
 Tue, 17 Mar 2020 14:53:57 +0200 (EET)
X-Rspamd-Queue-Id: 48hY5P5jqgz456l
X-Spamd-Bar: ----
X-Spamd-Result: default: False [-4.48 / 15.00]; ARC_NA(0.00)[];
 RCVD_VIA_SMTP_AUTH(0.00)[];
 R_DKIM_ALLOW(-0.20)[viklenko.net:s=alf-mail];
 NEURAL_HAM_MEDIUM(-0.82)[-0.818,0]; FROM_HAS_DN(0.00)[];
 TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+mx];
 NEURAL_HAM_LONG(-1.00)[-1.000,0]; TAGGED_RCPT(0.00)[];
 MIME_GOOD(-0.10)[text/plain]; HAS_ORG_HEADER(0.00)[];
 TO_MATCH_ENVRCPT_SOME(0.00)[];
 DKIM_TRACE(0.00)[viklenko.net:+]; RCPT_COUNT_TWO(0.00)[2];
 DMARC_POLICY_ALLOW(-0.50)[viklenko.net,reject];
 FREEMAIL_TO(0.00)[gmail.com]; FROM_EQ_ENVFROM(0.00)[];
 MIME_TRACE(0.00)[0:+];
 IP_SCORE(-1.66)[ipnet: 2001:470::/32(-4.65), asn: 6939(-3.59), country:
 US(-0.05)]; 
 ASN(0.00)[asn:6939, ipnet:2001:470::/32, country:US];
 MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[];
 RCVD_COUNT_TWO(0.00)[2]
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Mar 2020 12:54:03 -0000

You don't need rdr

nat on enc0 inet from 10.0.0.0/8 to 10.31.32.0/24 -> 10.19.12.251


On 17.03.20 14:35, Cristian Cardoso wrote:
> I tried as follows without success:
> 
> rdr on xn0 inet proto icmp from 10.31.32.67 to 10.0.0.0/8 -> 10.19.12.251
> nat on xn0 inet proto icmp from 10.0.0.0/8 to 10.31.32.67/32 -> 10.19.12.251
> rdr on enc0 inet proto icmp from 10.31.32.67 to 10.0.0.0/8 -> 10.19.12.251
> nat on enc0 inet proto icmp from 10.0.0.0/8 to 10.31.32.67 -> 10.19.12.251
> 
> xn0 is my interface that goes to the internal network that is beyond
> the freebsd and enc0 of the vpn, I just put the icmp protocol for
> testing
> I checked on tcpdump on the enc0 interface, which occurs echo request
> and echo reply, but does not return to the PC that ran icmp on another
> network within 10.0.0.0/8
> 
> Any suggestion?
> 
> Em ter., 17 de mar. de 2020 às 02:48, Artem Viklenko
> <artem@viklenko.net> escreveu:
>>
>> Hi!
>>
>> PF do NAT on outbound and RDR on inbound.
>> You can try to do NAT on enc0 interface instead of lan.
>>
>>
>> On 17.03.20 04:28, Cristian Cardoso wrote:
>>> Hello
>>> I'm setting up a Freebsd server for ipsec vpn communication with
>>> strongswan and I'm having some difficulties in the operation
>>>
>>> The freebsd server's local network is 10.19.12.0/24 and can connect
>>> correctly to the network on the other side of the tunnel.
>>>
>>> I would like another network behind my server to connect to the tunnel as well.
>>>
>>> In linux I would nat the network that is arriving as follows:
>>> iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -d 10.31.32.0/24 -j
>>> --SNAT --to 10.19.12.251
>>>
>>> In FreeBSD I tried to run the rule as follows, but to no avail
>>> nat on $ LAN inet from 10.0.0.0/8 to 10.31.32.0/24 -> 10.19.12.251
>>>
>>> Is there any other way to generate the equivalent of FreeBSD postrouting?
>>>
>>> Best Regards
>>> _______________________________________________
>>> freebsd-pf@freebsd.org mailing list
>>> https://lists.freebsd.org/mailman/listinfo/freebsd-pf
>>> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
>>>
>>
>> --
>> Regards!
> 

-- 
Regards!