From owner-freebsd-pf@freebsd.org Mon Nov 11 08:46:49 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id EBCDB1AF3FC for ; Mon, 11 Nov 2019 08:46:49 +0000 (UTC) (envelope-from freebsd-database@pp.dyndns.biz) Received: from keymaster.local (ns1.xn--wesstrm-f1a.se [IPv6:2a00:d880:5:1b9::8526]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "keymaster.pp.dyndns.biz", Issuer "keymaster.pp.dyndns.biz" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 47BPcm4cBnz3Qnj for ; Mon, 11 Nov 2019 08:46:47 +0000 (UTC) (envelope-from freebsd-database@pp.dyndns.biz) Received: from [192.168.69.69] ([192.168.69.69]) by keymaster.local (8.15.2/8.15.2) with ESMTP id xAB8khT2099765 for ; Mon, 11 Nov 2019 09:46:44 +0100 (CET) (envelope-from freebsd-database@pp.dyndns.biz) Subject: Re: Fwd: NAT for use with OpenVPN To: freebsd-pf@freebsd.org References: <1cebcd5e-d9ed-53db-2d01-c8794933d1c4@pp.dyndns.biz> <80ec074d-7a5d-7016-57e4-f607384d0e20@pp.dyndns.biz> From: =?UTF-8?Q?Morgan_Wesstr=c3=b6m?= Message-ID: <6bc9b8ce-3ab3-2b57-510d-67ace0a90259@pp.dyndns.biz> Date: Mon, 11 Nov 2019 09:46:42 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 47BPcm4cBnz3Qnj X-Spamd-Bar: + Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of freebsd-database@pp.dyndns.biz has no SPF policy when checking 2a00:d880:5:1b9::8526) smtp.mailfrom=freebsd-database@pp.dyndns.biz X-Spamd-Result: default: False [1.71 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.78)[-0.778,0]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; IP_SCORE(-0.05)[asn: 198203(-0.29), country: NL(0.02)]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; TO_DN_NONE(0.00)[]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_TLS_LAST(0.00)[]; NEURAL_SPAM_LONG(0.34)[0.335,0]; HFILTER_HELO_IP_A(1.00)[keymaster.local]; R_SPF_NA(0.00)[]; HFILTER_HELO_NORES_A_OR_MX(0.30)[keymaster.local]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:198203, ipnet:2a00:d880::/32, country:NL]; MID_RHS_MATCH_FROM(0.00)[]; DMARC_NA(0.00)[pp.dyndns.biz]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Nov 2019 08:46:50 -0000 > OK. Here it comes: > > root@threepio:/usr/local/etc/openvpn # netstat -rn > Routing tables > That machine looks good. I can't spot anything wrong on that side. Can you also check the output of "sysctl net.inet.ip.forwarding" and make sure it's set to 1. This is what gateway_enable=YES should do. Now I'd like to see the routing and ip info from one of the connected clients. Preferably I'd like the same info from your Netgear router too but I don't expect it to provide an interface to extract this info so it will have to be the black box for now. The next step is then to start pinging ip addresses from the client side, hop by hop until we don't receive a reply. Starting with the local client vpn address, then the local endpoint, the remote endpoint, the em0 address and so on. But I want to make sure nothing is wrong on the ip stack level first. /Morgan