From owner-freebsd-questions@FreeBSD.ORG  Thu Nov  4 10:40:49 2010
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B4EF31065673
	for <questions@freebsd.org>; Thu,  4 Nov 2010 10:40:49 +0000 (UTC)
	(envelope-from faust64@gmail.com)
Received: from mail-qy0-f182.google.com (mail-qy0-f182.google.com
	[209.85.216.182])
	by mx1.freebsd.org (Postfix) with ESMTP id 6B03A8FC0A
	for <questions@freebsd.org>; Thu,  4 Nov 2010 10:40:49 +0000 (UTC)
Received: by qyk7 with SMTP id 7so1088483qyk.13
	for <questions@freebsd.org>; Thu, 04 Nov 2010 03:40:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:received:mime-version:received:from:date
	:message-id:subject:to:content-type;
	bh=tUoWxRhBFpVqp+DjkP4Phq8nxf4Bcon73QULjgPLCS0=;
	b=cXfzSDZuFO/Flcgj5ykU3MTen/KuTjPHHHvtDiGtOSQwE1Iv05CD2juCzGOfx8La92
	IwMBKObMISJkP6riOiHgyHQoLdZb4iNEwOjE3d7tyJK/b/fq878mJpBAlUjV6M3RtWwh
	V2mMHAt6eZYPKTOoOyEMOyCl2Zki9juKJGPPA=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=mime-version:from:date:message-id:subject:to:content-type;
	b=RTIkkmku//fMDTUgQZHMGBkakQ56+bgoeHDVNqo3fLPaeN47LOSuLXj0xAwANxBpfQ
	HnGgay80/Vc2nVP6X7e9/lmFg8LoyUJiaYtoUs3SOVPoYuKnVecjnEU9SnkX/FlwBIwg
	CAjXEr6oVOUSTbXFSkBtIJmMGnRmqtRS67PfY=
Received: by 10.229.189.66 with SMTP id dd2mr506355qcb.123.1288865751988; Thu,
	04 Nov 2010 03:15:51 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.229.236.67 with HTTP; Thu, 4 Nov 2010 03:15:11 -0700 (PDT)
From: =?ISO-8859-1?Q?Samuel_Mart=EDn_Moro?= <faust64@gmail.com>
Date: Thu, 4 Nov 2010 11:15:11 +0100
Message-ID: <AANLkTin0=hNHwAwVBXxAXArDhj+4yUktkpCuNphm1nd2@mail.gmail.com>
To: questions@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Cc: 
Subject: openvpn client on pf gateway
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Nov 2010 10:40:49 -0000

Hi,


I'm using a FreeBSD-8.1 (RELEASE, amd64) as gateway for my local network.
And pf as firewall.


I'm renting a dedicated box, running openvpn.
My gateway is configured as a client of this VPN.
I modified my pf.conf to provide internet to my local network.
I configured iptables on the VPN server (debian-5) to accept everything, an=
d
redirect what I needed to.

Everything seems to work... except...

How can I redirect a port through the VPN?
I mean...
The problem does not seem to come from the VPN server, as I can access my
local gateway from an external server, through the iptables redirection.
But, when I try to access a host behind that gateway, it won't connect...


Here's the pf.conf:

ext_if=3D"bge0"
int_if=3D"bge1"
vpn_if=3D"tun0"

lc =3D $int_if:network
  vpn=3D"10.253.254.1"
 emma=3D"10.242.42.200"
alpha=3D"10.42.42.42"
delta=3D"10.42.42.44"
   xi=3D"10.42.142.44"

set skip     on lo0
scrub in     on $ext_if all fragment reassemble
scrub in     on $vpn_if all fragment reassemble
INTERNETZ
nat          on $ext_if                 from $lc to any -> ($ext_if)
nat          on $vpn_if                 from $lc to any -> ($vpn_if)
rdr          on $ext_if inet proto tcp  from any to ($ext_if) port 1666 ->
$alpha port 1666
rdr          on $vpn_if inet proto tcp  from any to ($vpn_if) port 1666 ->
$alpha port 1666
rdr          on $ext_if inet proto tcp  from any to ($ext_if) port 1667 ->
$delta port   22
rdr          on $vpn_if inet proto tcp  from any to ($vpn_if) port 1667 ->
$delta port   22
rdr          on $ext_if inet proto tcp  from any to ($ext_if) port 1668 ->
$alpha port   22
rdr          on $vpn_if inet proto tcp  from any to ($vpn_if) port 1668 ->
$alpha port   22
rdr          on $ext_if inet proto tcp  from any to ($ext_if) port 1669 ->
$xi    port   22
rdr          on $vpn_if inet proto tcp  from any to ($vpn_if) port 1669 ->
$xi    port   22
rdr          on $ext_if inet proto tcp  from any to ($ext_if) port 9418 ->
$xi    port 9418
rdr          on $vpn_if inet proto tcp  from any to ($vpn_if) port 9418 ->
$xi    port 9418
pass  in     on $ext_if inet proto tcp  from any to $ext_if   port 1664
pass  in     on $vpn_if inet proto tcp  from any to $vpn_if   port 1664
pass  in     on $int_if inet proto tcp  from any to any
pass  in     on $int_if inet proto udp  from any to any
block in log on $ext_if inet proto icmp from any to $ext_if
block in log on $vpn_if inet proto icmp from any to $vpn_if

every rules for $ext_if is working as expected
so I copied them, replacing my external interface by the vpn one
ssh from internet to the gateway (1664) works.
but accessing a ssh server behind the gateway (say alpha, 1668) does not...


What am I doing wrong?



Regards,

--=20
Samuel Mart=EDn Moro
{EPITECH.} tek5
CamTrace S.A.S
  (+033) 1 41 38 37 60
  1 All=E9e de la Venelle
  92150 Suresnes
  FRANCE

"Nobody wants to say how this works.
  Maybe nobody knows ..."
                      Xorg.conf(5)