From owner-freebsd-pf@FreeBSD.ORG Fri Feb 24 01:36:36 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D62DB16A420 for ; Fri, 24 Feb 2006 01:36:36 +0000 (GMT) (envelope-from solinym@gmail.com) Received: from pproxy.gmail.com (pproxy.gmail.com [64.233.166.178]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3C33843D4C for ; Fri, 24 Feb 2006 01:36:36 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by pproxy.gmail.com with SMTP id w49so238710pyg for ; Thu, 23 Feb 2006 17:36:35 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=d3LJCM+EZRgKFZvlOloTrdvBF5SL2WYjLY2Hv80s1aoXxFyCTkn/x8iSPG1ugfVgvcBG0YCV1bH2iWekAdJpxYnnVrWoRgqfPD5P7wmJJKIWbxWWzntd+8Egl++sfFN8g0+iP+VNAlEMwRd7esJ8VCGeOf9RmTx/vjJBdZPgwfw= Received: by 10.35.107.20 with SMTP id j20mr601402pym; Thu, 23 Feb 2006 03:36:51 -0800 (PST) Received: by 10.35.30.16 with HTTP; Thu, 23 Feb 2006 03:36:51 -0800 (PST) Message-ID: Date: Thu, 23 Feb 2006 05:36:51 -0600 From: "Travis H." To: "Greg Hennessy" In-Reply-To: <000001c637b3$a54b0a70$0a00a8c0@thebeast> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <1140612265.5617.25.camel@localhost.localdomain> <000001c637b3$a54b0a70$0a00a8c0@thebeast> Cc: freebsd-pf@freebsd.org Subject: Re: Dirty NAT tricks X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Feb 2006 01:36:37 -0000 On 2/22/06, Greg Hennessy wrote: > How is this a problem ? Surely the default route is through the tunnel > interface when the tunnel is up ? Yes, but a more-specific route (the locally attached network) takes precedence over the default. And he can't change that or he won't be able to get his packets out of LAN. His iptables rules change the destination IP temporarily, just for routing purposes. By the way, if setting up a network with RFC 1918 addresses, I recommend choosing something from within 172.17-31.x.x --- for some reason very few people choose the class B, whereas 10/8 and 192.168.x are much more popular. OP: As Brian Candler pointed out, you can do this with a binat to a fictitious network on the client, then a binat back on the VPN server. I don't know what he means by "reversing the in/out sense", as binat is bidirectional. -- Security Guru for Hire http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484