From owner-freebsd-pf@FreeBSD.ORG  Wed Feb 22 12:44:29 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@FreeBSD.org
Delivered-To: freebsd-pf@FreeBSD.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 03B1316A420
	for <freebsd-pf@FreeBSD.org>; Wed, 22 Feb 2006 12:44:29 +0000 (GMT)
	(envelope-from tiagocruz@forumgdh.net)
Received: from gdhs.guiadohardware.net (gdhs.guiadohardware.net [64.246.6.25])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 7837D43D4C
	for <freebsd-pf@FreeBSD.org>; Wed, 22 Feb 2006 12:44:28 +0000 (GMT)
	(envelope-from tiagocruz@forumgdh.net)
Received: (qmail 6022 invoked by uid 15); 22 Feb 2006 12:44:26 -0000
Received: from unknown (HELO tuxkiller.matter.b4br.net)
	(tiagocruz@forumgdh.net@200.152.202.10)
	by 0 with SMTP; 22 Feb 2006 12:44:26 -0000
From: Tiago Cruz <tiagocruz@forumgdh.net>
To: freebsd-pf@FreeBSD.org
Content-Type: text/plain
Date: Wed, 22 Feb 2006 09:44:25 -0300
Message-Id: <1140612265.5617.25.camel@localhost.localdomain>
Mime-Version: 1.0
X-Mailer: Evolution 2.2.3 
Content-Transfer-Encoding: 7bit
Cc: 
Subject: Dirty NAT tricks
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Feb 2006 12:44:29 -0000

Hello guys,

Following this link: http://www.nimlabs.org/~nim/dirtynat.html
I learn that I can do some "dirty NAT trick" with my firewall to make
this:

"You have a corporate LAN. You want to set up a VPN (in this case
OpenVPN) into the LAN for your road-warriors. However, your LAN is
numbered with one of the very common private subnets, such as
192.168/16. Your road-warriors often get addresses in the same private
subnet from their coffee-shops, and this breaks things horribly."

So.. How can I manage the PREROUTING and POSTROUTING rules in PF?

iptables -v -t nat -A PREROUTING -d 192.168.8.0/24 -j NETMAP --to 10.22.8.0/24
iptables -v -t nat -A PREROUTING -i tap0 -d 10.22.0.0/16 -j NETMAP --to 192.168.0.0/16
iptables -v -t nat -A POSTROUTING -o tap0 -s 192.168.0.0/16 -j NETMAP --to 10.22.0.0/16
iptables -v -t nat -A POSTROUTING -o eth0 -s 10.22.0.0/16 -j NETMAP --to 192.168.0.0/16

Thank you!
-- 
Tiago Cruz
http://linuxrapido.org