From owner-freebsd-net@FreeBSD.ORG  Mon Mar  6 15:01:44 2006
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@FreeBSD.org
Delivered-To: freebsd-net@FreeBSD.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4CD6016A420
	for <freebsd-net@FreeBSD.org>; Mon,  6 Mar 2006 15:01:44 +0000 (GMT)
	(envelope-from tiagocruz@b4br.net)
Received: from vader.b4br.net (vader.b4br.net [200.152.202.11])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A20F343D4C
	for <freebsd-net@FreeBSD.org>; Mon,  6 Mar 2006 15:01:42 +0000 (GMT)
	(envelope-from tiagocruz@b4br.net)
Received: from localhost (localhost.b4br.net [127.0.0.1])
	by vader.b4br.net (Postfix) with ESMTP id BFA5618175D;
	Mon,  6 Mar 2006 12:00:58 -0300 (BRT)
Received: from vader.b4br.net ([127.0.0.1])
	by localhost (vader.b4br.net [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 17431-07-2; Mon,  6 Mar 2006 12:00:54 -0300 (BRT)
Received: from tuxkiller.matter.b4br.net (yoda.b4br.net [200.152.202.10])
	by vader.b4br.net (Postfix) with ESMTP id 335E0181759;
	Mon,  6 Mar 2006 12:00:51 -0300 (BRT)
From: Tiago Cruz <tiagocruz@b4br.net>
To: "freebsd-net@FreeBSD.org" <freebsd-net@FreeBSD.org>,
	Brian Candler <B.Candler@pobox.com>
In-Reply-To: <20060201134633.GB78696@uk.tiscali.com>
References: <1138387362.4742.9.camel@localhost.localdomain>
	<43DA6C6A.7050701@elischer.org>
	<1138390041.4742.19.camel@localhost.localdomain>
	<43DA8E70.2070804@elischer.org>
	<1138621574.18130.26.camel@localhost.localdomain>
	<43DE6030.4090702@elischer.org> <20060131123042.GA74812@uk.tiscali.com>
	<1138713557.25466.4.camel@localhost.localdomain>
	<43DFCBBC.7000206@elischer.org> <20060201134633.GB78696@uk.tiscali.com>
Content-Type: text/plain
Date: Mon, 06 Mar 2006 12:01:34 -0300
Message-Id: <1141657294.25455.38.camel@localhost.localdomain>
Mime-Version: 1.0
X-Mailer: Evolution 2.4.2.1 
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: amavisd-new at b4br.net
Cc: 
Subject: Re: Network client is the same from server
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Mar 2006 15:01:44 -0000

Hello all,

I have some news about this subject:

On Wed, 2006-02-01 at 13:46 +0000, Brian Candler wrote:

> After:
> 
>    192.168.0.0/24                                 192.168.0.0/24
>   ------+---------- GW1 -------------------- GW2 -----+-----------
>         |     [nat1]   [nat2]                         |
>         X                                             Y
> 
> In this example, the sense of 'inbound' and 'outbound' is wrong for each
> natd, which you might be able to fix using -reverse on both of them.
> 
> Or:
> 
>    192.168.0.0/24                                 192.168.0.0/24
>   ------+---------- GW1 -------------------- GW2 -----+-----------
>         |     [nat2]   [nat1]                         |
>         X                                             Y
> 
> Here the in/out sense is the same, but now we're doing nat2's processing
> before nat1's. Is that a problem? I think it is.
> 
> * Packet from 192.168.0.1 to 192.168.200.1
>   - at nat2: destination changed to 192.168.0.1
>   - at nat1: source changed to 192.168.100.1
> 
> Trouble is that at the first step, the destination is now 192.168.0.1, which
> means it will be delivered back to the local LAN instead of out of the
> external interface.

I did a lot of things in the last week:

-> My LAN is 192.168.0.0/22

-> OpenVPN, route to clients:
push "route 192.168.10.0 255.255.255.0"

-> PF rules:
binat on $vpn_if from 192.168.10.0/24 to any -> 192.168.0.0/24
binat on $vpn_if from 192.168.0.0/24 to any -> 192.168.10.0/24

In the notebook client, when I try to ping 192.168.10.19 (in the true,
is the 192.168.0.19):

15:56:56.197170 IP 10.8.0.6 > 192.168.10.19: ICMP echo request, id 512, seq 5121, length 40
15:56:56.197779 IP 192.168.0.19 > 10.8.0.6: ICMP echo reply, id 512, seq 5121, length 40

My first ping  is E.O.K (TTL=126) but all the others I don't have reply
(75% lost).



> OTOH, it might not be easy to make work with pf either. You should only need
> two 'binat' rules, but I'm not sure how you go about reversing the in/out
> sense. There's a separate freebsd-pf mailing list which might be able to
> help.

I've found a little bit of information in pf mailing, but I think that
the problem is now with network mailing because my VPN Server is my CARP
backup machine, and the state table is sincronized by pfsync with the
CARP master (defaulf gateway of the machines). Maybe its because this
tha only my fist ping works :-/

Can you help me please?
Many thanks!

-- 
Tiago Cruz
http://linuxrapido.org