From owner-freebsd-pf@freebsd.org Tue Nov 12 01:50:05 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id BED641C4446 for ; Tue, 12 Nov 2019 01:50:05 +0000 (UTC) (envelope-from pestaub@gmail.com) Received: from mail-vk1-xa32.google.com (mail-vk1-xa32.google.com [IPv6:2607:f8b0:4864:20::a32]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 47BrKS5HM0z3wqc for ; Tue, 12 Nov 2019 01:50:04 +0000 (UTC) (envelope-from pestaub@gmail.com) Received: by mail-vk1-xa32.google.com with SMTP id o198so4052737vko.11 for ; Mon, 11 Nov 2019 17:50:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=staub-us.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=QNKKIW7gIeMPEoJ5k8dEcSMQQDWLC17Pmax7JR0RQ1I=; b=G2VAfpnqp433Pe95J/CyNXQJ22GrTdZyZCtX9xfUZODrqCxJHAcRjUKjt9gGYcNhOt NfOD1PB7zo1STO0QlwcwQCrmleIR3oiP7p7mJp/OR4NXSzBf4ejesgw6lzw2kZdwZCib EZdQDTX5WwkXa0QO//OEgRA/ZN7xAtfLwKysMLMLzOlZlp+29DNn/7+GP1phFz5w00Cc 8Hv803Mj5ntisM1Jhwu4hIddfLxFmIaZF1KKxSkXNQ6k3NJtjhLzn1XW/HXISI+maGqL lOES5DNN2tksfqv1B57obkon+UtFyOlMibG3iDq4q67PjsueOppyN4yuX4C8BYo7W1+D f3Hw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=QNKKIW7gIeMPEoJ5k8dEcSMQQDWLC17Pmax7JR0RQ1I=; b=CXKO0mJaY0lXgDtuI3WDtwJYzTKgF49QqHV+VRQPFjNHV5FYEGagUXRAvGgAPbzlqK mSnFs0G762hRMfXZdpykvYgF9z6h2+Womdg+4K+AnU5FuztqJ8VtRo0+szVY1EWmFoLY wAqAoxo7R0Dkl17ucz8Z0QaXGO8dVJcoevDAa/KjwI4H5V79nhcg+dVxPqP28qBGjbta E0h9n5ykoZsSX9BsxRqAZ9EJ5beTMdVQcIDFMxRHh1srhIkAewrbhNwS0rMnJw/SW7AQ XKJquAoGkYjei5DCjaMcRoxmsi6C2K3syVREwbkVmpee0A3vnBs1dxklhUkRkPHejtoI jWUg== X-Gm-Message-State: APjAAAWxSOquDAjbXWoflRQKU0zGpEf7EWROcpPX4Mlqnh7p8CZm/Cp3 T4YwevjHCYeixxbDWZHLVnVb/a6T0SP5Eh7afK2ojliS X-Google-Smtp-Source: APXvYqzJis+VejM/FXOVt1eBZqOQZpj5mf3HeoZLl9MQRmp9dJB4TpRWbRnNiGyBQJZ0+ngN5vMOYMxP+Bgl17yh6D0= X-Received: by 2002:a1f:fc0e:: with SMTP id a14mr20289694vki.19.1573523402976; Mon, 11 Nov 2019 17:50:02 -0800 (PST) MIME-Version: 1.0 References: <1cebcd5e-d9ed-53db-2d01-c8794933d1c4@pp.dyndns.biz> <80ec074d-7a5d-7016-57e4-f607384d0e20@pp.dyndns.biz> <6bc9b8ce-3ab3-2b57-510d-67ace0a90259@pp.dyndns.biz> <30f8da8a-de96-f737-fef8-820c6ae2ed16@pp.dyndns.biz> In-Reply-To: From: Phil Staub Date: Mon, 11 Nov 2019 20:49:25 -0500 Message-ID: Subject: Fwd: Fwd: NAT for use with OpenVPN To: freebsd-pf@freebsd.org X-Rspamd-Queue-Id: 47BrKS5HM0z3wqc X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=staub-us.20150623.gappssmtp.com header.s=20150623 header.b=G2VAfpnq; dmarc=none; spf=pass (mx1.freebsd.org: domain of pestaub@gmail.com designates 2607:f8b0:4864:20::a32 as permitted sender) smtp.mailfrom=pestaub@gmail.com X-Spamd-Result: default: False [-3.91 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; R_DKIM_ALLOW(-0.20)[staub-us.20150623.gappssmtp.com:s=20150623]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; TO_DN_NONE(0.00)[]; URI_COUNT_ODD(1.00)[7]; RCPT_COUNT_ONE(0.00)[1]; DMARC_NA(0.00)[staub.us]; DKIM_TRACE(0.00)[staub-us.20150623.gappssmtp.com:+]; RCVD_IN_DNSWL_NONE(0.00)[2.3.a.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; IP_SCORE(-2.71)[ip: (-9.16), ipnet: 2607:f8b0::/32(-2.33), asn: 15169(-2.00), country: US(-0.05)]; FORGED_SENDER(0.30)[phil@staub.us,pestaub@gmail.com]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; FROM_NEQ_ENVFROM(0.00)[phil@staub.us,pestaub@gmail.com]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Nov 2019 01:50:05 -0000 ---------- Forwarded message --------- From: Phil Staub Date: Mon, Nov 11, 2019 at 8:47 PM Subject: Re: Fwd: NAT for use with OpenVPN To: Morgan Wesstr=C3=B6m On Mon, Nov 11, 2019 at 5:15 PM Morgan Wesstr=C3=B6m < freebsd-database@pp.dyndns.biz> wrote: > Phil, > > I did some more testing in my own environment and you should be able to > ping the following addresses from your connected client. It probably > breaks down at some point and you need to tell me where: > > 10.8.0.6 (or whatever ip your vpn client receives) > 10.8.0.1 (server endpoint of vpn tunnel) > 192.168.1.200 (your FreeBSD LAN address) > 192.168.1.1 (LAN side of your router) > > This was very much along the lines of what I had already planned to try. = I also pinged my public IP address 67.175.144.37. Next ping test would be an address on the Internet like google.dns > (8.8.8.8) This is the ONLY ping that fails. :-( > . > > Looking at the Netgear support forums, some people claim Netgear routers > only does NAT for the subnet on its LAN interface while others claim it > does NAT for any subnet. I checked the manual for your router but it > doesn't explicitly say anything on this matter so this is still an unknow= n I've spent a little time trying to find out how to get a routing table from the router. I haven't had a lot of time to look, but I'm going to look a little more after what I've found so far. > . > > We didn't discuss the client side config. I will show you mine below > with the server address obfuscated. You need to replace it with your > router WAN ip. > > client > dev tun > proto udp > remote ***.***.***.*** 1194 > resolv-retry infinite > nobind > persist-key > persist-tun > ca ca.crt > cert client1.crt > key client1.key > ns-cert-type server > verb 4 > > My client side configs are very similar. I think the only differences are irrelevant or necessitated by the server-side config (cipher option) netstat -rn and ifconfig -a (ipconfig /all on Windows) from the > connected client would be useful to further track down the problem if > you can't resolve it. > I'm not a Windows fan, but since I have a Win10 laptop I use for stuff that only runs on Windows, so I'll hold my nose and try some troubleshooting from there. :-( Here is the Windows Iipconfig: Windows IP Configuration Host Name . . . . . . . . . . . . : Han Primary Dns Suffix . . . . . . . : staub.us Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : staub.us Ethernet adapter Ethernet: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller Physical Address. . . . . . . . . : D0-17-C2-0B-E3-28 DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Unknown adapter Local Area Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : TAP-Windows Adapter V9 Physical Address. . . . . . . . . : 00-FF-A2-CF-90-6F DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::641d:f1e3:ff36:891e%14(Preferred) IPv4 Address. . . . . . . . . . . : 10.8.0.5(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.252 Lease Obtained. . . . . . . . . . : Monday, November 11, 2019 7:31:43 PM Lease Expires . . . . . . . . . . : Tuesday, November 10, 2020 7:31:42 P= M Default Gateway . . . . . . . . . : DHCP Server . . . . . . . . . . . : 10.8.0.6 DHCPv6 IAID . . . . . . . . . . . : 318832546 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-21-DF-60-8C-D0-17-C2-0B-E3-28 DNS Servers . . . . . . . . . . . : 1.1.1.1 NetBIOS over Tcpip. . . . . . . . : Enabled Wireless LAN adapter Local Area Connection* 2: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter Physical Address. . . . . . . . . : 48-45-20-50-78-AB DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Wireless LAN adapter Local Area Connection* 13: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter #2 Physical Address. . . . . . . . . : 4A-45-20-50-78-AA DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Wireless LAN adapter Wi-Fi: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) Dual Band Wireless-AC 7265 Physical Address. . . . . . . . . : 48-45-20-50-78-AA DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::1002:e557:a388:1315%13(Preferred) IPv4 Address. . . . . . . . . . . : 192.168.1.5(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Lease Obtained. . . . . . . . . . : Sunday, November 10, 2019 11:06:24 P= M Lease Expires . . . . . . . . . . : Tuesday, November 12, 2019 11:06:23 AM Default Gateway . . . . . . . . . : 192.168.1.1 DHCP Server . . . . . . . . . . . : 192.168.1.1 DHCPv6 IAID . . . . . . . . . . . : 38290720 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-21-DF-60-8C-D0-17-C2-0B-E3-28 DNS Servers . . . . . . . . . . . : 192.168.1.1 NetBIOS over Tcpip. . . . . . . . : Enabled (I notice there is no default gateway specified for the TUN interface. I'll have to look into that.) And the routing table: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Interface List 18...d0 17 c2 0b e3 28 ......Realtek PCIe GBE Family Controller 14...00 ff a2 cf 90 6f ......TAP-Windows Adapter V9 15...48 45 20 50 78 ab ......Microsoft Wi-Fi Direct Virtual Adapter 9...4a 45 20 50 78 aa ......Microsoft Wi-Fi Direct Virtual Adapter #2 13...48 45 20 50 78 aa ......Intel(R) Dual Band Wireless-AC 7265 1...........................Software Loopback Interface 1 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D IPv4 Route Table =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.5 35 0.0.0.0 128.0.0.0 10.8.0.6 10.8.0.5 281 10.8.0.1 255.255.255.255 10.8.0.6 10.8.0.5 281 10.8.0.4 255.255.255.252 On-link 10.8.0.5 281 10.8.0.5 255.255.255.255 On-link 10.8.0.5 281 10.8.0.7 255.255.255.255 On-link 10.8.0.5 281 67.175.144.37 255.255.255.255 192.168.1.1 192.168.1.5 291 127.0.0.0 255.0.0.0 On-link 127.0.0.1 331 127.0.0.1 255.255.255.255 On-link 127.0.0.1 331 127.255.255.255 255.255.255.255 On-link 127.0.0.1 331 128.0.0.0 128.0.0.0 10.8.0.6 10.8.0.5 281 192.168.1.0 255.255.255.0 On-link 192.168.1.5 291 192.168.1.0 255.255.255.0 10.8.0.6 10.8.0.5 281 192.168.1.5 255.255.255.255 On-link 192.168.1.5 291 192.168.1.255 255.255.255.255 On-link 192.168.1.5 291 224.0.0.0 240.0.0.0 On-link 127.0.0.1 331 224.0.0.0 240.0.0.0 On-link 10.8.0.5 281 224.0.0.0 240.0.0.0 On-link 192.168.1.5 291 255.255.255.255 255.255.255.255 On-link 127.0.0.1 331 255.255.255.255 255.255.255.255 On-link 10.8.0.5 281 255.255.255.255 255.255.255.255 On-link 192.168.1.5 291 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Persistent Routes: None IPv6 Route Table =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Active Routes: If Metric Network Destination Gateway 1 331 ::1/128 On-link 14 281 fe80::/64 On-link 13 291 fe80::/64 On-link 13 291 fe80::1002:e557:a388:1315/128 On-link 14 281 fe80::641d:f1e3:ff36:891e/128 On-link 1 331 ff00::/8 On-link 14 281 ff00::/8 On-link 13 291 ff00::/8 On-link =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Persistent Routes: None > P.S. You have a .201 alias on the FreeBSD machine. It shouldn't > interfere but I just wanted to make sure you were aware of it and had a > reason for it. > > Yes, it's known and I was wondering if YOU would be wondering about it. I have a PLEX server running in a jail on the same machine the OpenVPN server is on, and that is the .201 address. Once I get things working on the non-jail version, I'll build another jail for the OpenVPN process. /Morgan > I'll update when I have more info about the router's routing table and the default gateway . Thanks, Phil _______________________________________________ > freebsd-pf@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >