From nobody Mon Oct 10 07:04:34 2022 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Mm8zm6kH7z4dh3M for ; Mon, 10 Oct 2022 07:04:36 +0000 (UTC) (envelope-from infoomatic@gmx.at) Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mout.gmx.net", Issuer "TeleSec ServerPass Class 2 CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Mm8zl6Pktz3SD4 for ; Mon, 10 Oct 2022 07:04:35 +0000 (UTC) (envelope-from infoomatic@gmx.at) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1665385474; bh=NALA/eOIBYLNsCvHwqD7sh4WmWXb/Q1LZEShmMf0XWw=; h=X-UI-Sender-Class:Date:To:From:Subject; b=Vf2TuXh1zhrQv4zqTdULcWTU72K2130KTwz+n0RrRzP3By60360LXBtVDw3BUrAMF 5cIJtXhOv8oGlxoQv9T5LYzV2Vy4gD6DJqBbcUGsMZt9ji+rs87wdcNoibI2wQfWdt viRZbP3PmUaSs47Zg0mD4+20i6/SA2VYicgK+Stc= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from [10.0.1.209] ([178.114.225.246]) by mail.gmx.net (mrgmx004 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MCbIn-1opnaz2hV5-009jro for ; Mon, 10 Oct 2022 09:04:34 +0200 Message-ID: Date: Mon, 10 Oct 2022 09:04:34 +0200 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-pf@freebsd.org X-BeenThere: freebsd-pf@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:102.0) Gecko/20100101 Thunderbird/102.3.0 Content-Language: en-US To: freebsd-pf@FreeBSD.org From: infoomatic Subject: PF: nat on ipsec Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:P463QOnCsaSol5vVFqYrYMBazn43lcxPl1WM1XaNLWG4QBqirfK +jkIsXFtSs+vywGYjOhU1BL+ZNi/U3QYU3xt1RsFSLXQBydGhjD409tuyccwFyBRVDsUfRw rUjulcbGTvF939DWzx5x2frEtx4Sij9hsYc56Hu63QCioe95l1oWQ07EG4b/qESCYO5KBJp juGoEav3qSV5N/wfGcp8A== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:/yQEIrkhQ0U=:c7Bo2+5wx5ZShrZKQkRV17 /KUlGmTPX23ePBXnahKi9Cg/SJFNUfH8O5VfehtS7Ureb2J3K9l4HTaIe9P1WvpPmMAiGNMkq U5qq2EfxFovlc9gl40hLxWXIimGZn3fXf+6TYlqAyU+YBKWDTFsaYWiCl1/8M3NJN5MoeD823 8p494+cYUbE5ZezJDjcrc5CxdYoeERtj+gnvKxspHSMC9rLfGmOQ+lJeWkhdsptXL7Q0p9m0O PSLSkc3WALKikSYy/tphdQNjtGQ1Muak40TOp3xQOBj6r94TyE0BkKWhdaVfCDx+dD9HCjIld Ow+8wOHjq1fLmrCiR32VUMdELMWVsOe5vxhuUCM8C88w8S+6ySI1DploGP0PHQT0tDf39D0za U57j9lLlQmv9ni4mLzDyWdfR9cNb/bvAY7MHfzl9AuteKUxlyMRUDJMGDEamFCvsljp3BqscS 4Dmxz9NfDZT0+MoXSKotaWpIC4G9ZZ5/fzfalaiioTQKKExx5YmZIq1jvUI1cnbXzh8hQAaEX 0wirjlIsXezdgiIq8+1g2wIbEJOGsTxhs8IgeFl/Yp5crhxpqoZYbsU8BGx17IRW9EDXI7M+S VGwaNI0mvYbr2Vgs9HIW9PUHGR7akfnuGOjyRQJlvPEGPCM8ud/zWXGrN2axlUjb08zvAPFkz zfTYqi0JnwZyAndfvcyiou64+D9ixPIfNlOVpuymljgod7SjfIdwszDGAz9sl44MW5YhdAU0Y KblzMK0LLbVlOxII0h5Lolj6hQ94TUuPK/M3JMYhm7UiwNa8NkEtdDD2QSSZlSemrZ0F8u6au OG4fxRJmaSie7fcwgQ8GUWAlyk4mkO/7UA1N68cPdGlL9qKb16VQLObzU0qUBfNxC2CTioGtN LPBgenRbYRSncF/egDTA3lmW0XON4fnzwWOtotGw8zwPPRFVpmOhCFSRdGU3HG4tR860fYpIk 9hC0LgK5gynwJK2kowcd1t59gEvA2wGkaQ8AjTM2IdL3MNKq1S61Ll9lxSNpv3em3hcdwzOE2 Nbisb4MG+TsA5e75F7QaNZ3Ym/N5Dt0XfkakYUnRN098REi3PNDU/4nXb8Oz3CItglZuEx5Mt Gza/i6LkOTAATP0WANYsAYspTE5MoPxlvJlyGG/+Og5VZ5BIeUhHpJdVvya2Kzg3yzUL2NhE/ l5Q+SmHWn+QMWivoWoc+pFYQM4AokQcMOLzQuXHCK4jQ8CSSxqmbGhPmVLWJanKk/mzM5N+6e msZCk+zcsTxzUsmetG5Ou9fZiHJQTH1wfFv9j722FFcpZcvvpsC+6TttYf6vDG3o/zFaxhX1g /G5pch49iDJ3zLAaXFiWyN/wn0j1vXYqAhyCEmsGtV1pOUa6oaveIGHL2+4X0Owv9b5xQhCdI aSKMZmJHzdNlgHMPZqvSB/ymBR8mppQ8GypORa5bKyp/BOv52e6SmcW7jz6gbqPaux0Hva3Iq zlZ2gP35O91metlZBOpDN4D0nOQr6W3oVDT0DdsOQVT/wp2d8B7039eo0IX4k7wYu5oTtBHnH aCRaR+pAFyzTevzLIBiMS6Q5peKyZHEWZJIbPlO3wN1zE X-Rspamd-Queue-Id: 4Mm8zl6Pktz3SD4 X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmx.net header.s=badeba3b8450 header.b=Vf2TuXh1; dmarc=pass (policy=none) header.from=gmx.at; spf=pass (mx1.freebsd.org: domain of infoomatic@gmx.at designates 212.227.15.18 as permitted sender) smtp.mailfrom=infoomatic@gmx.at X-Spamd-Result: default: False [-5.09 / 15.00]; DWL_DNSWL_LOW(-1.00)[gmx.net:dkim]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.99)[-0.987]; DMARC_POLICY_ALLOW(-0.50)[gmx.at,none]; R_DKIM_ALLOW(-0.20)[gmx.net:s=badeba3b8450]; R_SPF_ALLOW(-0.20)[+ip4:212.227.15.0/25:c]; RCVD_IN_DNSWL_LOW(-0.10)[212.227.15.18:from]; MIME_GOOD(-0.10)[text/plain]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; MLMMJ_DEST(0.00)[freebsd-pf@FreeBSD.org]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; RWL_MAILSPIKE_POSSIBLE(0.00)[212.227.15.18:from]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; DKIM_TRACE(0.00)[gmx.net:+]; TO_DN_NONE(0.00)[]; FREEMAIL_FROM(0.00)[gmx.at]; RCVD_COUNT_TWO(0.00)[2]; FROM_EQ_ENVFROM(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmx.at]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:8560, ipnet:212.227.0.0/16, country:DE]; RCVD_TLS_ALL(0.00)[] X-ThisMailContainsUnwantedMimeParts: N Hi guys, hope someone can help me with my problem trying to NAT ipsec. The setup: I use a FreeBSD host with an opnsense VM and a vnet jail. The host uses em0 with an external interface, one bridge with an ipv4 address and tap interface to connect opnsense and one bridge without ipv4 address with tap of opnsense + epair of the jail to connect those two. Opnsense is doing ipsec (strongswan) to our AWS infrastructure, the jail is simulating a client on the "LAN" interface of opnsense. NAT on the host is setup with pf and works as expected except for ipsec: so outgoing tcp/udp packets from the jail pass through opnsense, get natted and then pass the host where they again get natted. The outgoing rules on the host nat pass on em0 proto udp from 192.168.251.100 to any -> $ip_out nat pass on em0 proto tcp from 192.168.251.100 to any -> $ip_out The incoming rules redirecting ipsec traffic to opnsense rdr pass proto udp to $ip_out port 4500 -> 192.168.251.100 rdr pass proto udp to $ip_out port 500 -> 192.168.251.100 On the host, I can see that pf is not translating the packets, using tcpdump on pflog0 shows me: 00:00:08.270916 rule 22/0(match): block out on em0: 192.168.251.100.4500 > 3.123.51.34.4500: UDP-encap: ESP(spi=3D0xc1de5460,seq=3D0xa1), length 1= 272 00:00:00.000010 rule 22/0(match): block out on em0: 192.168.251.100 > 3.123.51.34: ip-proto-17 where 3.123.51.34 is the ipsec endpoint on AWS side. Every other packet outgoing from the jail shows of course the external ipv4 address, however, as you can see above, ipsec traffic does not get translated, packets try to pass the hosts em0 interface with the internal ipv4 address of opnsense "WAN" interface. I hope there is a solution I have not found to this strange problem, any advice highly appreciated. Thanks! Best regards, Robert [1] posted this + graphics already to: https://forums.freebsd.org/threads/pf-nating-ipsec.86692/