From owner-freebsd-pf@FreeBSD.ORG Tue Dec 9 01:01:29 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id ABF8CE94 for ; Tue, 9 Dec 2014 01:01:29 +0000 (UTC) Received: from mail-lb0-x243.google.com (mail-lb0-x243.google.com [IPv6:2a00:1450:4010:c04::243]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 2F1B5D13 for ; Tue, 9 Dec 2014 01:01:29 +0000 (UTC) Received: by mail-lb0-f195.google.com with SMTP id u10so1118708lbd.6 for ; Mon, 08 Dec 2014 17:01:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=TIRHG5QaJN1SAhGxTYJ2I9Sp55csQUVuJxfjfgDcKOI=; b=JzYncHpojga3XZQn0ms7VC2PfIeb/ofkY4rNGvDPlR5LJ9BUurZ108uV0hKoahOybo 9WKvH4rmrrb/hgQxE115vbtkc1Z6Q9ndUZoKfgfReuXlqP6sD9k2AKlnHZrpSu3qeZLf bto/NYqVZRRq6o6GmMV689AyWTSZSEPFGJzce0tty626O1mw63Bg4zIgleKFGudrceAl FzaQKNsNbD2EDlgYSZ8MSgygkrxkOR8duhbOZ3IqwRM/tCvxNkFq/xCRLEj8MzFR8hnf zwOXzyh3sd+MTEV25Nm46hAkZc2iiKi6B8n0oncWCJBctMKK/1aGLRSu4uFuAyrsFDfe pNQg== MIME-Version: 1.0 X-Received: by 10.112.128.197 with SMTP id nq5mr1378557lbb.0.1418086887229; Mon, 08 Dec 2014 17:01:27 -0800 (PST) Received: by 10.152.36.65 with HTTP; Mon, 8 Dec 2014 17:01:27 -0800 (PST) Date: Mon, 8 Dec 2014 20:01:27 -0500 Message-ID: Subject: Forwarding packets generated through a VPN connection to a different subnet From: Manas Bhatnagar To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Dec 2014 01:01:29 -0000 Hello, I have an OpenVPN server that is configured to hand out IP addresses on the 10.8.0.0/24 network, it creates a tun0 device. I also have an interface on the machine that is configured with the IP 10.8.1.11, this is on the em1 interface. I am able to ping to other machines on the 10.8.1.0/24 network from the machine. However, as an OpenVPN client, when I try to ping any address on the 10.8.1.0/24 network other than 10.8.1.11, I do not receive a response. My attempt at making this work was through using NAT with PF. This is the line in my /etc/pf.conf nat on tun0 from 10.8.0.0/24 to 10.8.1.0/24 -> (em1) When I run tcpdump -i tun0 on the machine I see the ICMP packets being generated by the OpenVPN client. But, when I check the traffic on em1 with tcpdump the source address is still in the 10.8.0.0/24 range. I have also tried the following pf.conf: rdr on tun0 from 10.8.0.0/24 to 10.8.1.0/24 -> (em1) nat on em1 from 10.8.0.0/24 to 10.8.1.0/24 -> (em1) rdr on em1 from 10.8.1.0/24 to 10.8.0.0/24 -> (tun0) With the same results. Please let me know how this can be configured. This is on 10.1-RELEASE. Thanks, Manas