Date: Tue, 18 Apr 2017 15:17:17 -0400 From: Ultima <ultima1252@gmail.com> To: David Mehler <dave.mehler@gmail.com> Cc: freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: freebsd 10.3, pf, and openvpn Message-ID: <CANJ8om6Aab3tnf%2BVNo1N8owU462XoawbGghJxwA6aH3p9_bLpg@mail.gmail.com> In-Reply-To: <CAPORhP5eEoUC46taW9WKzBoxSEerDp-t0XrH=MPNYE8FNtLXyg@mail.gmail.com> References: <CAPORhP5eEoUC46taW9WKzBoxSEerDp-t0XrH=MPNYE8FNtLXyg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I didn't have time to read and look through this entire post, but I think I
know the issue you're running into and this suggestion should push you in
the right direction.
this rule for example,
rdr on $ext_if inet proto udp from any to any port 1194 -> $vpn port 1194
rdr on $ext_if inet proto tcp from any to any port 1194 -> $vpn port 1194
# reflect for internal hosts
rdr on $int_if inet proto udp from any to any port 1194 -> $vpn port 1194
rdr on $int_if inet proto tcp from any to any port 1194 -> $vpn port 1194
This is probably not giving you the results you desire. Basically because
no from or to ip is specified ALL and I quite literally mean ALL packets
using port 1194 are being sent to $vpn port 1194. Usually you want to make
it something like,
rdr on $ext_if inet proto udp from any to $ext_ip port 1194 -> $vpn port
1194
rdr on $int_if inet proto udp from any to $int_ip port 1194 -> $vpn port
1194
Now the traffic will be passed only when the packet is going to the host,
not all traffic on a specific port. Another thing you may want to do is
combined many of these rules you have.
rdr on $ext_if inet proto { tcp, udp } to $ext_ip port 1194 -> $vpn port
1194
Also note the above, because we are specifying any for from, we can remove
the form rule entirely and make it shorter.
Hope this helps
Ultima
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CANJ8om6Aab3tnf%2BVNo1N8owU462XoawbGghJxwA6aH3p9_bLpg>