From owner-freebsd-pf@FreeBSD.ORG Mon Apr 28 14:52:41 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F22F41065684 for ; Mon, 28 Apr 2008 14:52:41 +0000 (UTC) (envelope-from nbari@k9.cx) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.186]) by mx1.freebsd.org (Postfix) with ESMTP id 9165D8FC1B for ; Mon, 28 Apr 2008 14:52:40 +0000 (UTC) (envelope-from nbari@k9.cx) Received: by nf-out-0910.google.com with SMTP id b2so3409334nfb.33 for ; Mon, 28 Apr 2008 07:52:39 -0700 (PDT) Received: by 10.210.105.20 with SMTP id d20mr5869765ebc.38.1209394359719; Mon, 28 Apr 2008 07:52:39 -0700 (PDT) Received: from ?10.50.46.92? ( [213.58.102.135]) by mx.google.com with ESMTPS id y2sm24102112mug.9.2008.04.28.07.52.35 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 28 Apr 2008 07:52:38 -0700 (PDT) Message-Id: From: Nicolas de Bari Embriz Garcia Rojas To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v919.2) Date: Mon, 28 Apr 2008 09:52:30 -0500 X-Mailer: Apple Mail (2.919.2) Cc: freebsd-jail@freebsd.org Subject: routing gif0 ipsec X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Apr 2008 14:52:42 -0000 Hi all, I am trying to all trafic from a gif0 interface used for a vpn to an public IP on the same server that is like an alias I have the following schema (FreeBSD 6.3) gif0: flags=8051 mtu 1280 tunnel inet 67.228.79.224 --> 74.86.163.16 inet 172.16.224.1 --> 172.16.16.1 netmask 0xffffffff em1: flags=8843 mtu 1500 options=1b inet 67.228.78.162 netmask 0xfffffff8 broadcast 67.228.78.167 inet 67.228.79.224 netmask 0xffffffff broadcast 67.228.79.224 The VPN from point 172.16.224.1 --> 172.16.16.1 works, I can ping/ telnet to 172.16.16.1 and get a response. The jail is running on IP 67.228.79.224 (same IP used for doing the VPN/IPSEC) but if I log int to that jail (jexec 1 csh) I can not ping 172.16.16.1 currently I am trying this with pf -- nat pass on gif0 from 67.228.79.224 to 172.16.16.1 -> 172.16.224.1 rdr pass on gif0 proto tcp from any to any port 80 -> 67.228.79.224 pass in log from any to any keep state pass out log from any to any keep state -- but is not working, from the jail (67.228.79.224) I can not ping/ telnet the VPN 172.16.16.1 there is a tool call jumpgate with the one I can redirect incoming tcp to gif0 and forward trafic to em1 with out problems, but instead I would like to use pf jumpgate -b 172.16.224.1 -l 80 -r 80 -a 67.228.79.224 with this i can telnet from the other end point to por 80 and i can forward the connection to the public IP of the jail through the vpn tunnel. any ideas on how to solve this issue using pf or maybe some routing rules. regards.