From owner-freebsd-pf@FreeBSD.ORG Mon Jul 21 08:44:04 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 449C2D1B for ; Mon, 21 Jul 2014 08:44:04 +0000 (UTC) Received: from smtp.new-ukraine.org (smtp.new-ukraine.org [148.251.53.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.new-ukraine.org", Issuer "smtp.new-ukraine.org" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id C14D228CF for ; Mon, 21 Jul 2014 08:44:02 +0000 (UTC) Received: from new-ukraine.org (smtp.new-ukraine.org [148.251.53.51]) by smtp.new-ukraine.org with ESMTP id s6L8gvL6007300 for ; Mon, 21 Jul 2014 11:42:58 +0300 (EEST) Message-ID: <20140721114257.7299@smtp.new-ukraine.org> Date: Mon, 21 Jul 2014 11:42:57 +0300 From: "Zeus Panchenko" To: cc: Subject: nat lan to tun (nat before vpn) Organization: I.B.S. LLC Reply-To: "Zeus Panchenko" X-Attribution: zeus Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAFVBMVEWxsbGdnZ3U1NQTExN cXFzx8fG/v7+f8hyWAAACXUlEQVQ4jUWSwXYiIRBFi4yyhtjtWpmRdTL0ZC3TJOukDa6Rc+T/P2F eFepwtFvr8upVFVDua8mLWw6La4VIKTuMdAPOebdU55sQs3n/D1xFFPFGVGh4AHKttr5K0bS6g7N ZCge7qpVLB+f1Z2WAj2OKXwIWt/bXpdXSiu8KXbviWkHxF5td9+lg2e3xlI2SCvatK8YLfHyh9lw 15yrad8Va5eXg4Llr7QmAaC+dL9sDt9iad/DX3OKvLMBf+dm0A0QuMrTvYIevSik1IaSVvgjIHt5 lSCG2ynNRpEcBZ8cgDWk+Ns99qzsYYV3MZoppWzGtYlTO9+meG6m/g92iNO9LfQB2JZsMpoJs7QG ku2KtabRK0bZRwDLyBDvwlxTm6ZlP7qyOqLcfqtLexpDSB4M0H3I/PQy1emvjjzgK+A0LmMKl6Lq zlqzh0VGAw440F6MJd8cY0nI7wiF/fVIBGY7UNCAXy6DmfYGCLLI0wtDbVcDUMqtJLmAhLqODQAe riERAxXJ1/QYGpa0ymqyytpKC19MNXHjvFmEsfcHIrncFR4xdbYWgmfEGLCcZokpGbGj1egMR+6M 1BkNX1pDdhPcOXpAnAeLQUwQLYepgQoZVNGS61yaE8CYA7gYAcWKzwGstACY2HTFvvOwk4FXAG/a mKHni/EcA/GkOk7I0IK7UMIf3+SahU8/FJdiE7KcuWdM3MFocUDEEIX9LfJoo4xV5tnNKc3jJuSs SZWgnnhepgU1zN4Hii18yW4RwDX52CXUtk0Hqz6cHOIUkWaX8fDcB+J7y1y2xDHwjv/8Buu8Ekz6 7tXQAAAAASUVORK5CYII= X-Mailer: MH-E 8.3.1; GNU Mailutils 2.99.98; GNU Emacs 24.3.1 MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jul 2014 08:44:04 -0000 =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hi, just was stumbled on the subject ... please, may somebody advise what am I missing? I have: FreeBSD 10.0-STABLE #0 r261303 BoxA: LAN: 192.168.0.1/24 TUN (OpenVPN): 172.16.10.1=20 with route to 172.16/12 set via tun BoxB: LAN: 192.168.0.2/24 with route to 172.16/12 set via boxA lan I need: to give access to 172.16/12 for boxB via nat on boxA in boxA pf.conf: nat on tun1 from 192.168.0.2 to 172.16/12 -> 172.16.10.1 pass in log on tun1 pass in log (all) on $if_lan inet proto { tcp udp } from 192.168.0.2 when I spawn traffic to 172.16/12 from boxB I can see packets on lan boxA but nothin is on boxA tun ... so, can I do that this way or I need something yet? is it nat-before-vpn case which is not implemented in FreeBSD pf yet (at last it was so)? =2D --=20 Zeus V. Panchenko jid:zeus@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET) =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlPM0pEACgkQr3jpPg/3oyoSvwCg3XKMmYZ+i4Hewv/Lyde/pzZ3 uvYAoNkplMMP4+C9r/PP4Jw/Zg9JQJXo =3DH//M =2D----END PGP SIGNATURE-----