From owner-freebsd-pf@FreeBSD.ORG Tue Dec 9 04:07:06 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 37462B1A for ; Tue, 9 Dec 2014 04:07:06 +0000 (UTC) Received: from mail-lb0-x243.google.com (mail-lb0-x243.google.com [IPv6:2a00:1450:4010:c04::243]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id AC48D2EB for ; Tue, 9 Dec 2014 04:07:05 +0000 (UTC) Received: by mail-lb0-f195.google.com with SMTP id u10so1152030lbd.10 for ; Mon, 08 Dec 2014 20:07:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=w9cEjL6va1p4O35H7SJuVKwiD8rGkEoGgdupNDxeNXk=; b=KX61iGqth51ZOLa9DqnxVgoW4UO2x4gwA1NEZBXKBN/KcJJ8X/odBssJ4B3AKnBNvI juB5Is2wmVlRSeQtiNS/Wz07/NzdCYqp1hxfF4GtJ9Ano/LoUjE8nXuTgi6VTMu3b0Dm 0vxStaHBnY/pdcSsvmXLHG7kpKUN5WGmIK04UzhsjOLptCf0tYmWKatToL8SzLCpQo3S 19I+hU1K68WTzKrmKCeQmYQe8rKIRtlTP0OM+WZe5pujV9DVotavZEp73vQ2cnJNuarn vFgNXdEjYd2ajg59Zto4+21hRln+wmi/A3bkkH/vjMQDQBEq0SIu1CN+AxJyHWJfar7r pwXQ== MIME-Version: 1.0 X-Received: by 10.112.73.102 with SMTP id k6mr19726372lbv.75.1418098023861; Mon, 08 Dec 2014 20:07:03 -0800 (PST) Received: by 10.152.36.65 with HTTP; Mon, 8 Dec 2014 20:07:03 -0800 (PST) In-Reply-To: <548655C6.3090709@heuristicsystems.com.au> References: <548655C6.3090709@heuristicsystems.com.au> Date: Mon, 8 Dec 2014 23:07:03 -0500 Message-ID: Subject: Re: Forwarding packets generated through a VPN connection to a different subnet From: Manas Bhatnagar To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Dec 2014 04:07:06 -0000 >You shouldn't need a firewall to do nat or redirecting. I suspect that: >a) the openvpn server isn't setup for forwarding >b) the clients don't have a correct route established > >I'd suggest that you turn off pf, using pfctl -d and watch what happens >on your em1 interface, as that might also provide a clue (ie tcpdump -ni >em1 ) > >If this assists please provide a reply to the mailing list so others may >benefit. :) > >Regards, Dewayne It is working now. OpenVPN is configured to push the route: push "route 10.8.1.0 255.255.255.0" to clients. Gateway is not pushed to the client. The line in PF that works is: nat on em1 from 10.8.0.0/24 to any -> (em1) Thanks for the input! Thanks, Manas On Mon, Dec 8, 2014 at 8:52 PM, Dewayne Geraghty < dewayne.geraghty@heuristicsystems.com.au> wrote: > You shouldn't need a firewall to do nat or redirecting. I suspect that: > a) the openvpn server isn't setup for forwarding > b) the clients don't have a correct route established > > I'd suggest that you turn off pf, using pfctl -d and watch what happens > on your em1 interface, as that might also provide a clue (ie tcpdump -ni > em1 ) > > If this assists please provide a reply to the mailing list so others may > benefit. :) > > Regards, Dewayne > >