From nobody Mon Oct 10 15:38:47 2022
X-Original-To: pf@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MmNP741vQz4ffDh
	for <pf@mlmmj.nyi.freebsd.org>; Mon, 10 Oct 2022 15:38:51 +0000 (UTC)
	(envelope-from infoomatic@gmx.at)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "mout.gmx.net", Issuer "TeleSec ServerPass Class 2 CA" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4MmNP62R4nz47jP
	for <pf@freebsd.org>; Mon, 10 Oct 2022 15:38:50 +0000 (UTC)
	(envelope-from infoomatic@gmx.at)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net;
	s=badeba3b8450; t=1665416327;
	bh=aw8Thwa+jX4779/+TsYHQvdJ8/Vli836meo4bDaJank=;
	h=X-UI-Sender-Class:Date:Subject:To:References:From:In-Reply-To;
	b=Fq7fcZo41aIyKiVsww/xOPELHZFX0tFBM7wmz7P0IlfbW6qCIE0C6vBojxEUhCpUq
	 uAUmUCOjTzb6Nbh9pxfM78OqCAznVLgaDShCTkE2bVtTf+K3My8Yg7/oP3GFivXV8g
	 jACu/3qdDOrUsid/EbLRu0+Byjx1TW5gMcZecFQ0=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Received: from [10.0.1.209] ([178.114.225.246]) by mail.gmx.net (mrgmx104
 [212.227.17.168]) with ESMTPSA (Nemesis) id 1MfHEJ-1pOeXk2Q9L-00go9L for
 <pf@freebsd.org>; Mon, 10 Oct 2022 17:38:47 +0200
Message-ID: <1ba3e340-e204-15b0-d395-a942c97c39f5@gmx.at>
Date: Mon, 10 Oct 2022 17:38:47 +0200
List-Id: Technical discussion and general questions about packet filter (pf) <freebsd-pf.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-pf
List-Help: <mailto:pf+help@freebsd.org>
List-Post: <mailto:pf@freebsd.org>
List-Subscribe: <mailto:pf+subscribe@freebsd.org>
List-Unsubscribe: <mailto:pf+unsubscribe@freebsd.org>
Sender: owner-freebsd-pf@freebsd.org
X-BeenThere: freebsd-pf@freebsd.org
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:102.0) Gecko/20100101
 Thunderbird/102.3.0
Subject: Re: PF: nat on ipsec
To: pf@freebsd.org
References: <c35f847b-60cd-fa48-66ae-66c48e3729b1@gmx.at>
 <e3d77559-8894-5b49-0993-b2988d6fd553@shrew.net>
Content-Language: en-US
From: infoomatic <infoomatic@gmx.at>
In-Reply-To: <e3d77559-8894-5b49-0993-b2988d6fd553@shrew.net>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:Zwor9ENw/otBSaYkfCiZIlCPAVxpoAcUmEcgRbgKm+LHEHF5CkF
 YIPojgDXNZX8UrokBTBS/30m9fDtUp74EqnAvEvRZpfTcCKcqM+nNL7MqhF5oVvst4qiCJ2
 bwpHgPjeoSJneUXyexKQTzc/imdcwTe+waELgXvCe6VSjvR8cEMFJRsvpiktF6hfE1anqYi
 0eOLeTqNgvCovoQhhvK6w==
X-Spam-Flag: NO
X-UI-Out-Filterresults: notjunk:1;V03:K0:+l9H65yHfgg=:MhfqPxU6aHWvJmZbvrvpgY
 c1CLzmCbRR5dmo8UuPKvs2aB2yahXdlaVRPKk8eIoITYgWn+qWKmlwMecAZcObnmhVLPAlNUj
 7ry0VSgTS3B+F5DSBf/H0xm1ggk7j1Z3AOb1DUpNeGQWJDXjdpO3jtRDRyWtKBVvd7U73BvB1
 bWn+a/8G4Prn/enYEJ4DNP39quHKDYv7equVzG9pZMuLXQWl73ztyJrvxsps9Nd/l22G/uAVO
 CcSVyIkfTB8HXOG28Wgl7q+jUdIEPKcrK9wP9UK9BdX6i3pKSTrEBwoH0SybD1LaQxvr3bMET
 0pnOsMXuxzbyb9bK4Umam24tuV+5kdnyiGer5KsgGY1XgWQKUfQ9KEq9f2qkM5sdsdGUD4ThO
 De9GpzedZTbHKoRol/FCKfmCc88nIYjG2xeIqfPYXM2rSL69vc9jSLozXjlJrj+H0K8ihgh4O
 EnifC4ZlF/WGR1LFcU538jUg/9Q12T73z7J9wvTQPSmS6pdgngQt6VEgSlmrbttvpavlHuiGa
 wat3ZCKOzHSf+DybYyQK3lXW0m/ZdO9VQ/PwGv09nzLWx8aZEDDJQrVfW48g129EGy7pry8O3
 wqKK/cLR8UgbknqV1nSNlGA2v8lDliJmdhUDfNSfWK0N2BArsx7L5KkAQ7y8Y3uUKlWoFzzPC
 qoaWHZlejeEL/q2018wnOmUM9hyNiiXXfoWNsX72L2lkqhnwhV4E64pod0rdbs1mKPZw7K9LK
 MtuoOMhKF1MlQcVqRDtWgRjA27QjU9IMnGuuFaJ1jt4cU0RI/M45z4FrVTgdt4txuFUjpyL9w
 p6S9D7zX0oCjXx/Rk7frzF1+9iu8tioHcBFMtnTwo0Jm2Zrav6xXvr0O24ZeKdVfZrNa4CucF
 QL7L89IJO65HtlGRKqtIcpkMDJmF2sLUg35VJoQXbaEmRKImsSaGRWDvftWhN4EeaCpT46FfV
 KIDmnuFKoZe9qwBZx4bzEABtyVjS5/pP7HasyujZJWW8Rf3V0PFZOfE4VJog0KshQ/dlj7Uxl
 eiGmNA9u/uwUWXwJcIFrDf5iPBjh6KKHVihsjO6AmaBeSGnbYWEiTvIsUlSqCp2t2A785ruoJ
 /HiZrQFYZhUpJtnuiK/TE1xS7Uj3vkslbdLgWTEWwiVx+DlB0Mx4dI/m+CoI8GeJlgXfcmhXA
 EXham7mqLfjuE9Jn89VsuiK6TZdnLLFh3FAG8U16aRr3BkM/zDaKNJG0L5Qr29NPspYIEbqii
 WlRnaD7Xmr8hvy1q0e9JNTTDhVuH0H8e8TJE7wywovweWQeyYej9FrIZeC0k7iUNmJ4v7ckYK
 HibHJOid2XaCbhysUdIM18oHxTK/Qd+kIgx7GWDAuZLiISwkUadXsNy9Z/wn6Hg4ApszryoF2
 uQVyFhBY0FXCmlSQkSIBn3TaG15qOYEdggkNXzSwNabHyF4lCo50ROWAxamO6lCgM2Q1bRO0t
 CUuehC39kVJ703aAMprzohWrPjDYOpK5tVXK0NbjCHNuAtoZOCHpIPdZbmo3yNV/GfarCCBI1
 qDcsshTq26+N7NGdCI1QX4iZ7zp58Op/5IABk0v9GrS3x
X-Rspamd-Queue-Id: 4MmNP62R4nz47jP
X-Spamd-Bar: -----
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=gmx.net header.s=badeba3b8450 header.b=Fq7fcZo4;
	dmarc=pass (policy=none) header.from=gmx.at;
	spf=pass (mx1.freebsd.org: domain of infoomatic@gmx.at designates 212.227.17.20 as permitted sender) smtp.mailfrom=infoomatic@gmx.at
X-Spamd-Result: default: False [-5.10 / 15.00];
	DWL_DNSWL_LOW(-1.00)[gmx.net:dkim];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-1.00)[-1.000];
	DMARC_POLICY_ALLOW(-0.50)[gmx.at,none];
	R_DKIM_ALLOW(-0.20)[gmx.net:s=badeba3b8450];
	R_SPF_ALLOW(-0.20)[+ip4:212.227.17.0/27:c];
	RCVD_IN_DNSWL_LOW(-0.10)[212.227.17.20:from];
	MIME_GOOD(-0.10)[text/plain];
	PREVIOUSLY_DELIVERED(0.00)[pf@freebsd.org];
	MLMMJ_DEST(0.00)[pf@freebsd.org];
	FROM_HAS_DN(0.00)[];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	RCPT_COUNT_ONE(0.00)[1];
	RCVD_VIA_SMTP_AUTH(0.00)[];
	RCVD_COUNT_TWO(0.00)[2];
	DKIM_TRACE(0.00)[gmx.net:+];
	TO_DN_NONE(0.00)[];
	FREEMAIL_FROM(0.00)[gmx.at];
	ARC_NA(0.00)[];
	FROM_EQ_ENVFROM(0.00)[];
	FREEMAIL_ENVFROM(0.00)[gmx.at];
	MIME_TRACE(0.00)[0:+];
	MID_RHS_MATCH_FROM(0.00)[];
	ASN(0.00)[asn:8560, ipnet:212.227.0.0/16, country:DE];
	RCVD_TLS_ALL(0.00)[]
X-ThisMailContainsUnwantedMimeParts: N

On 10.10.22 17:01, Matthew Grooms wrote:
>
> I'm not sure if I understood all the details here, but: NAT happens on
> egress. For traffic to be processed by IPsec, your traffic must have
> source and destination addresses that match the appropriate IPsec
> policy. Waiting until its being sent outbound ( where NAT occurs ) is
> usually too late.
>
thanks for your response. The source and destination addresses in the
configuration are OK. Every non-ipsec packet coming from opnsense is
translated as in the pf.conf on the host. The problem is: as soon as it
is an ipsec packet, the host does not translate it but instead forwards
the packet with the original private ip through the physical interface
with the public ip address (which of course is prohibited by a rule
further down in pf.conf). I have tried to add various nat + rdr rules
which explicitly use various protocols from /etc/protocols e.g. "proto
ipencap" but this does not change the behaviour. It seems like the host
realizes it is an ipsec packet and just refuses to nat that packet.


Out of curiosity I ordered another hardware host where I installed
Linux, created a VM with opnsense (with the same config, the only
adaption was the public ip-address in the ipsec configuration) and a
client on opnsense's LAN interface. I used iptables and it worked as
expected ... every packet on egress is translated to the outgoing ip
address.


Best regards,

Robert