From owner-freebsd-pf@FreeBSD.ORG Mon Jul 21 09:18:56 2014 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D9761952 for ; Mon, 21 Jul 2014 09:18:56 +0000 (UTC) Received: from ns1.ogris.net (ns1.ogris.net [IPv6:2a00:1348::17:0:0:1]) by mx1.freebsd.org (Postfix) with ESMTP id A14BD2BBD for ; Mon, 21 Jul 2014 09:18:56 +0000 (UTC) Received: from fjo-mbp.dts-systeme.intra (fjo-mbp.dts.de [81.89.251.80]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ns1.ogris.net (Postfix) with ESMTPSA id CD6BA2C1799; Mon, 21 Jul 2014 11:18:46 +0200 (CEST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) Subject: Re: nat lan to tun (nat before vpn) From: "Felix J. Ogris" In-Reply-To: <20140721114257.7299@smtp.new-ukraine.org> Date: Mon, 21 Jul 2014 11:18:45 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: <833017AA-8EF0-4FE1-88CA-F8CCF5B9FEDA@ogris.de> References: <20140721114257.7299@smtp.new-ukraine.org> To: Zeus Panchenko X-Mailer: Apple Mail (2.1878.6) Cc: freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Jul 2014 09:18:56 -0000 On 21 Jul 2014, at 10:42, Zeus Panchenko wrote: > hi, >=20 > just was stumbled on the subject ... please, may somebody advise what = am > I missing? Is net.inet.ip.forwarding set to 1? > I have: >=20 > FreeBSD 10.0-STABLE #0 r261303 >=20 > BoxA: > LAN: 192.168.0.1/24 > TUN (OpenVPN): 172.16.10.1 >=20 > with route to 172.16/12 set via tun >=20 > BoxB: > LAN: 192.168.0.2/24 >=20 > with route to 172.16/12 set via boxA lan >=20 > I need: > to give access to 172.16/12 for boxB via nat on boxA >=20 > in boxA pf.conf: >=20 > nat on tun1 from 192.168.0.2 to 172.16/12 -> 172.16.10.1 > pass in log on tun1 Should be "pass out" or just "pass" Is the OpenVPN tunnel up? Do you have a rule on the underlying interface = to pass out udp to port 1194? > pass in log (all) on $if_lan inet proto { tcp udp } from 192.168.0.2 >=20 > when I spawn traffic to 172.16/12 from boxB I can see packets on lan > boxA but nothin is on boxA tun ... >=20 > so, can I do that this way or I need something yet? is it = nat-before-vpn > case which is not implemented in FreeBSD pf yet (at last it was so)? >=20 > -- > Zeus V. Panchenko jid:zeus@im.ibs.dn.ua > IT Dpt., I.B.S. LLC GMT+2 (EET) >=20 > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"