From owner-freebsd-pf@FreeBSD.ORG Fri Dec 27 07:22:12 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0A0DC66D for ; Fri, 27 Dec 2013 07:22:12 +0000 (UTC) Received: from relay.ibs.dn.ua (relay.ibs.dn.ua [91.216.196.25]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 6570F17A9 for ; Fri, 27 Dec 2013 07:22:11 +0000 (UTC) Received: from ibs.dn.ua (relay.ibs.dn.ua [91.216.196.25]) by relay.ibs.dn.ua with ESMTP id rBR7M1Fv007031 for ; Fri, 27 Dec 2013 09:22:01 +0200 (EET) Message-ID: <20131227092201.7029@relay.ibs.dn.ua> Date: Fri, 27 Dec 2013 09:22:01 +0200 From: "Zeus Panchenko" To: Subject: Re: nat before ipsec ... In-reply-to: Your message of Wed, 25 Dec 2013 20:09:50 +0200 <20131225200950.21787@relay.ibs.dn.ua> References: <20131225200950.21787@relay.ibs.dn.ua> Organization: I.B.S. LLC X-Mailer: MH-E 8.3.1; GNU Mailutils 2.99.98; GNU Emacs 24.0.93 X-Face: &sReWXo3Iwtqql1[My(t1Gkx; y?KF@KF`4X+'9Cs@PtK^y%}^.>Mtbpyz6U=,Op:KPOT.uG )Nvx`=er!l?WASh7KeaGhga"1[&yz$_7ir'cVp7o%CGbJ/V)j/=]vzvvcqcZkf; JDurQG6wTg+?/xA go`}1.Ze//K; Fk&/&OoHd'[b7iGt2UO>o(YskCT[_D)kh4!yY'<&:yt+zM=A`@`~9U+P[qS:f; #9z~ Or/Bo#N-'S'!'[3Wog'ADkyMqmGDvga?WW)qd=?)`Y&k=o}>!ST\ MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: Zeus Panchenko List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Dec 2013 07:22:12 -0000 =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > target <-> world <--> em0 - freebsd - vlanA <--> LAN > ^ ^ net A > | | > +- netC -.-.-.-.- IPSec -.-.-.-.- net B -+ > ... > where: > A1 is some address from net A > B2 is some address from net B > C3 is some address from net C > > I can see incoming packets from A1 to C3 on interface vlanA, but after > that, packets "disappears", I can not find them any other interface and > no return packets finally I was able to get the packets redirected (actually after pf restart, not just reload) and now I have A1 packet going to C3 on vlanA # tcpdump -ni tun10 host C3 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on tun10, link-type NULL (BSD loopback), capture size 65535 bytes 07:10:57.641536 IP A1 > C3: ICMP echo request, id 59179, seq 8913, length 64 07:10:58.641467 IP A1 > C3: ICMP echo request, id 59179, seq 8914, length 64 07:10:59.641882 IP A1 > C3: ICMP echo request, id 59179, seq 8915, length 64 and further I can see them on the interface, IPSec configured on: # tcpdump -ni em1 host C3 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes 07:12:28.638456 IP A1 > C3: ICMP echo request, id 59179, seq 9004, length 64 07:12:29.636961 IP A1 > C3: ICMP echo request, id 59179, seq 9005, length 64 07:12:30.637647 IP A1 > C3: ICMP echo request, id 59179, seq 9006, length 64 but these packets *does not passing through the nat* ... in pf.conf I do: rdr pass on $if_vpn from A1 to C -> $target-side-of-ipsec binat on $if_vpn from A1 to C3 -> B2 and net.inet.ipsec.filtertunnel is set to 1 is bellow URL the answer? http://forum.pfsense.org/index.php/topic,49800.msg265106.html#msg265106 =2D --=20 Zeus V. Panchenko jid:zeus@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET) =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlK9KpgACgkQr3jpPg/3oyrcbgCfe7+k8VGcoqpQkbjg5uTmGn/A xTUAoLLjMCD0GEcRWcAD61mXWMNZ+4ZQ =3D2rY3 =2D----END PGP SIGNATURE-----