From owner-freebsd-pf@freebsd.org  Mon Nov 11 22:15:01 2019
Return-Path: <owner-freebsd-pf@freebsd.org>
Delivered-To: freebsd-pf@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 77CF71BFC7E
 for <freebsd-pf@mailman.nyi.freebsd.org>; Mon, 11 Nov 2019 22:15:01 +0000 (UTC)
 (envelope-from freebsd-database@pp.dyndns.biz)
Received: from keymaster.local (ns1.xn--wesstrm-f1a.se
 [IPv6:2a00:d880:5:1b9::8526])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "keymaster.pp.dyndns.biz",
 Issuer "keymaster.pp.dyndns.biz" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 47BlYJ1hncz3G1X
 for <freebsd-pf@freebsd.org>; Mon, 11 Nov 2019 22:14:59 +0000 (UTC)
 (envelope-from freebsd-database@pp.dyndns.biz)
Received: from [192.168.69.69] ([192.168.69.69])
 by keymaster.local (8.15.2/8.15.2) with ESMTP id xABMEu0W002483
 for <freebsd-pf@freebsd.org>; Mon, 11 Nov 2019 23:14:56 +0100 (CET)
 (envelope-from freebsd-database@pp.dyndns.biz)
Subject: Re: Fwd: NAT for use with OpenVPN
To: freebsd-pf@freebsd.org
References: <mailman.6.1573387200.62111.freebsd-pf@freebsd.org>
 <CAMnCm8gO+dZwEKdM3iKwrNoxNDZmFZ8EUo=Mrh0+OQ+SE_SO8w@mail.gmail.com>
 <1cebcd5e-d9ed-53db-2d01-c8794933d1c4@pp.dyndns.biz>
 <80ec074d-7a5d-7016-57e4-f607384d0e20@pp.dyndns.biz>
 <CAMnCm8iz7DcgTM_tPR5ZGZQwPXXcahVbyqw0Wzufkr93xVszpg@mail.gmail.com>
 <CAMnCm8jZH8ZULq8CKeZF_t4eBEBH5QAsaPKBtxK0WCWGe_OXDA@mail.gmail.com>
 <ba536474-57b4-37b0-d076-a1c4561d181e@pp.dyndns.biz>
 <CAP9XWJm2gAC0VjTejP08X0T8ar_ZS1e7PqjAy8iOMRhfBU_3mA@mail.gmail.com>
 <6bc9b8ce-3ab3-2b57-510d-67ace0a90259@pp.dyndns.biz>
From: =?UTF-8?Q?Morgan_Wesstr=c3=b6m?= <freebsd-database@pp.dyndns.biz>
Message-ID: <30f8da8a-de96-f737-fef8-820c6ae2ed16@pp.dyndns.biz>
Date: Mon, 11 Nov 2019 23:14:54 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.2.1
MIME-Version: 1.0
In-Reply-To: <6bc9b8ce-3ab3-2b57-510d-67ace0a90259@pp.dyndns.biz>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-GB
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 47BlYJ1hncz3G1X
X-Spamd-Bar: +
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=none (mx1.freebsd.org: domain of freebsd-database@pp.dyndns.biz has no SPF
 policy when checking 2a00:d880:5:1b9::8526)
 smtp.mailfrom=freebsd-database@pp.dyndns.biz
X-Spamd-Result: default: False [1.54 / 15.00]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-0.90)[-0.896,0]; FROM_HAS_DN(0.00)[];
 TO_MATCH_ENVRCPT_ALL(0.00)[];
 IP_SCORE(-0.05)[asn: 198203(-0.28), country: NL(0.02)];
 MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[];
 PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org];
 AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1];
 RCVD_TLS_LAST(0.00)[]; NEURAL_SPAM_LONG(0.29)[0.292,0];
 HFILTER_HELO_IP_A(1.00)[keymaster.local]; R_SPF_NA(0.00)[];
 HFILTER_HELO_NORES_A_OR_MX(0.30)[keymaster.local];
 FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[];
 MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:198203, ipnet:2a00:d880::/32, country:NL];
 MID_RHS_MATCH_FROM(0.00)[]; DMARC_NA(0.00)[pp.dyndns.biz];
 RCVD_COUNT_TWO(0.00)[2]
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Nov 2019 22:15:01 -0000

Phil,

I did some more testing in my own environment and you should be able to 
ping the following addresses from your connected client. It probably 
breaks down at some point and you need to tell me where:

10.8.0.6 (or whatever ip your vpn client receives)
10.8.0.1 (server endpoint of vpn tunnel)
192.168.1.200 (your FreeBSD LAN address)
192.168.1.1 (LAN side of your router)

Next ping test would be an address on the Internet like google.dns 
(8.8.8.8).

Looking at the Netgear support forums, some people claim Netgear routers 
only does NAT for the subnet on its LAN interface while others claim it 
does NAT for any subnet. I checked the manual for your router but it 
doesn't explicitly say anything on this matter so this is still an unknown.

We didn't discuss the client side config. I will show you mine below 
with the server address obfuscated. You need to replace it with your 
router WAN ip.

client
dev tun
proto udp
remote ***.***.***.*** 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server
verb 4

netstat -rn and ifconfig -a (ipconfig /all on Windows) from the 
connected client would be useful to further track down the problem if 
you can't resolve it.

P.S. You have a .201 alias on the FreeBSD machine. It shouldn't 
interfere but I just wanted to make sure you were aware of it and had a 
reason for it.

/Morgan