From owner-freebsd-questions@FreeBSD.ORG  Thu Nov  4 14:12:57 2010
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 86904106566B
	for <questions@freebsd.org>; Thu,  4 Nov 2010 14:12:57 +0000 (UTC)
	(envelope-from kraduk@gmail.com)
Received: from mail-ey0-f182.google.com (mail-ey0-f182.google.com
	[209.85.215.182])
	by mx1.freebsd.org (Postfix) with ESMTP id 09A908FC0C
	for <questions@freebsd.org>; Thu,  4 Nov 2010 14:12:56 +0000 (UTC)
Received: by eyb7 with SMTP id 7so984050eyb.13
	for <questions@freebsd.org>; Thu, 04 Nov 2010 07:12:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:mime-version:received:received:in-reply-to
	:references:date:message-id:subject:from:to:cc:content-type;
	bh=KtKHejkDbXhD8pw2FxhZ/zASEZaz4nF1Uu2rNCCOMvI=;
	b=YH/x+D15lb/EAGR+9uS4+TnSfo9Wv/fHXV1jTy/5pTqrH6W5EyxbtQ0wa8g8I/K3fO
	7xBg8Y1GbW24mLCXgaWcoSiZliMRfPu90YFElkbh8OZacm8TeOLg2YXBWg0wvq9yM+MQ
	7RvY/AjM2wm9SMCGhHX9P3BEMX23jUR6gbHj4=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=mime-version:in-reply-to:references:date:message-id:subject:from:to
	:cc:content-type;
	b=XbZOZmgZplZwj0veM3FEmS6zFb2QIyH8CszJuCD97qysYAeR+jGUaRKnCkrd51eE3e
	ZVHmhJBJ5VPUhpumY1+ovsbg2ktHefpr8OWlinah7s4cAGb8y+QyJXSwJZlCje7TpvjH
	mwY895bFN9X6vQ+H7vig7DiKreQXwhOGCYdnA=
MIME-Version: 1.0
Received: by 10.216.5.21 with SMTP id 21mr1976440wek.20.1288879974778; Thu, 04
	Nov 2010 07:12:54 -0700 (PDT)
Received: by 10.216.25.85 with HTTP; Thu, 4 Nov 2010 07:12:54 -0700 (PDT)
In-Reply-To: <AANLkTin0=hNHwAwVBXxAXArDhj+4yUktkpCuNphm1nd2@mail.gmail.com>
References: <AANLkTin0=hNHwAwVBXxAXArDhj+4yUktkpCuNphm1nd2@mail.gmail.com>
Date: Thu, 4 Nov 2010 14:12:54 +0000
Message-ID: <AANLkTikOxvxgRE8kzKgoZOnts3ODWj-0QPJitiG1efb9@mail.gmail.com>
From: krad <kraduk@gmail.com>
To: =?ISO-8859-1?Q?Samuel_Mart=EDn_Moro?= <faust64@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Cc: questions@freebsd.org
Subject: Re: openvpn client on pf gateway
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Nov 2010 14:12:57 -0000

On 4 November 2010 10:15, Samuel Mart=EDn Moro <faust64@gmail.com> wrote:

> Hi,
>
>
> I'm using a FreeBSD-8.1 (RELEASE, amd64) as gateway for my local network.
> And pf as firewall.
>
>
> I'm renting a dedicated box, running openvpn.
> My gateway is configured as a client of this VPN.
> I modified my pf.conf to provide internet to my local network.
> I configured iptables on the VPN server (debian-5) to accept everything,
> and
> redirect what I needed to.
>
> Everything seems to work... except...
>
> How can I redirect a port through the VPN?
> I mean...
> The problem does not seem to come from the VPN server, as I can access my
> local gateway from an external server, through the iptables redirection.
> But, when I try to access a host behind that gateway, it won't connect...
>
>
> Here's the pf.conf:
>
> ext_if=3D"bge0"
> int_if=3D"bge1"
> vpn_if=3D"tun0"
>
> lc =3D $int_if:network
>  vpn=3D"10.253.254.1"
>  emma=3D"10.242.42.200"
> alpha=3D"10.42.42.42"
> delta=3D"10.42.42.44"
>   xi=3D"10.42.142.44"
>
> set skip     on lo0
> scrub in     on $ext_if all fragment reassemble
> scrub in     on $vpn_if all fragment reassemble
> INTERNETZ
> nat          on $ext_if                 from $lc to any -> ($ext_if)
> nat          on $vpn_if                 from $lc to any -> ($vpn_if)
> rdr          on $ext_if inet proto tcp  from any to ($ext_if) port 1666 -=
>
> $alpha port 1666
> rdr          on $vpn_if inet proto tcp  from any to ($vpn_if) port 1666 -=
>
> $alpha port 1666
> rdr          on $ext_if inet proto tcp  from any to ($ext_if) port 1667 -=
>
> $delta port   22
> rdr          on $vpn_if inet proto tcp  from any to ($vpn_if) port 1667 -=
>
> $delta port   22
> rdr          on $ext_if inet proto tcp  from any to ($ext_if) port 1668 -=
>
> $alpha port   22
> rdr          on $vpn_if inet proto tcp  from any to ($vpn_if) port 1668 -=
>
> $alpha port   22
> rdr          on $ext_if inet proto tcp  from any to ($ext_if) port 1669 -=
>
> $xi    port   22
> rdr          on $vpn_if inet proto tcp  from any to ($vpn_if) port 1669 -=
>
> $xi    port   22
> rdr          on $ext_if inet proto tcp  from any to ($ext_if) port 9418 -=
>
> $xi    port 9418
> rdr          on $vpn_if inet proto tcp  from any to ($vpn_if) port 9418 -=
>
> $xi    port 9418
> pass  in     on $ext_if inet proto tcp  from any to $ext_if   port 1664
> pass  in     on $vpn_if inet proto tcp  from any to $vpn_if   port 1664
> pass  in     on $int_if inet proto tcp  from any to any
> pass  in     on $int_if inet proto udp  from any to any
> block in log on $ext_if inet proto icmp from any to $ext_if
> block in log on $vpn_if inet proto icmp from any to $vpn_if
>
> every rules for $ext_if is working as expected
> so I copied them, replacing my external interface by the vpn one
> ssh from internet to the gateway (1664) works.
> but accessing a ssh server behind the gateway (say alpha, 1668) does not.=
..
>
>
> What am I doing wrong?
>
>
>
> Regards,
>
> --
> Samuel Mart=EDn Moro
> {EPITECH.} tek5
> CamTrace S.A.S
>  (+033) 1 41 38 37 60
>  1 All=E9e de la Venelle
>  92150 Suresnes
>  FRANCE
>
> "Nobody wants to say how this works.
>  Maybe nobody knows ..."
>                      Xorg.conf(5)
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe@freebsd.org"
>


Im not sure if i understand you correctly but are you trying to forward
ports from your colo rented machine to boxes on your LAN via the openvpn
connection?

If you are and this is where the problem is, you probably need to be nattin=
g
on the colo boxes vpn interface (tun0). So you will need some iptables
config. Doing this avoids the asymetric routing and natting issue you will
be getting.

Basically if a packet enters your colo box (dst ip A) from client (B), your
coloe box will forward it down the tunnel to host C on a private ip. This
will respond, and create a packet to goto B. However when this packet will
have a public ip as a destination, so when it hits your pf firewall it will
probably get routed out of the default route, and not the vpn interface. As
its not a tcp syn it will most probably be dropped by pf. However if it isn=
t
it will be natted to the the public ip of your pf box. This is a problem as
this source address isnt the same as the destination address of the initial
packet generated by the client B. Therefore when it actually get to the
client it will just be dropped

Natting on the colo boxes vpn interface sorts all this out for you