From owner-freebsd-pf@freebsd.org Sat Nov 9 19:02:43 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 1360B17944B for ; Sat, 9 Nov 2019 19:02:43 +0000 (UTC) (envelope-from pestaub@gmail.com) Received: from mail-vs1-xe43.google.com (mail-vs1-xe43.google.com [IPv6:2607:f8b0:4864:20::e43]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 479RNK3rZlz43cD for ; Sat, 9 Nov 2019 19:02:41 +0000 (UTC) (envelope-from pestaub@gmail.com) Received: by mail-vs1-xe43.google.com with SMTP id m9so6120297vsq.7 for ; Sat, 09 Nov 2019 11:02:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=staub-us.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=16OFq4zV20zBruUlIrOjhLoXfFNgAQfC0CghxZoorbg=; b=OI38UTfPLzuOUk54wD0RxejO05Mja+I2NuazILiXC2R/KWgr48PrIrCdeKFxerbfBN s22C+z/DynPRTN7BoFyFaThMNBxdsoWiCeh1eW3FmAps7Iwpdtq2+e17ZvTau88OQ8zi wolfdGYP2+3q/Pke/odjhoInTdThej2UvXbn6F4arcFNVr/jEJe99mRNJw3ZrIaSexf9 ql5Tx7RSpiPMvtmpbdhqHCEyJjbJVmoaDExOAUUHbWk0FOlJhluZZtLEB+2OtlsigQra 0iV2sGFLyeVCZHrPOXzo1k5BZ/K4copKhs5c62Oj+nsAmClVKQCo/sUz+hm4qTZ3YAPR y/4Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=16OFq4zV20zBruUlIrOjhLoXfFNgAQfC0CghxZoorbg=; b=uTb5Q/9rAxfG8ULlXVKm3axQSlKES/MpPDbjlT+N7il9Vlnq/lqF3BRKSOAsi0Emqb s9j1vr+JNpvm8mtJkLtg+6kublrtuk8GXHY71upvLKBsxqyP5obwmm9r73cFYkXoddA/ FmTIKA1a4Xh4pSMh6+A3xLZX7S8Wej02mw/k30fBv7W9v3V8GsNDdyJglQDDtfqdBlz/ v4vTETP28pPzdhfGGyDCK0aYDB0JWFF1Rv7lzaSM6z/AGcpIiQ5vTXXeus3z50Qg7s2R ad5BbvzBfPOgG/WrRTbSDjVKfBUZvW26bSp2H8Qd3uLYPil7PfJOFRSuzH2gXF2rA8/X B71g== X-Gm-Message-State: APjAAAXlILIVrI0IbADLekJwLLMVnRPkZvLw6iX4vmJZ7twmY5EJFk8b 1YBGCzxEb92TBl3+R79oz8AjJOBXBqhqYcs4yVUfhkLR6ks= X-Google-Smtp-Source: APXvYqxEQXa6uxiurM+SxlMO+GRCKxWocX2OuFzWZNYkS64r96Nox9SnJHiHCPM59mNq8lFgdHIFcbyXaqqKpKFZp0M= X-Received: by 2002:a67:f2d9:: with SMTP id a25mr13574864vsn.106.1573326159701; Sat, 09 Nov 2019 11:02:39 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Phil Staub Date: Sat, 9 Nov 2019 14:02:02 -0500 Message-ID: Subject: Re: NAT for use with OpenVPN To: freebsd-pf@freebsd.org X-Rspamd-Queue-Id: 479RNK3rZlz43cD X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=pass header.d=staub-us.20150623.gappssmtp.com header.s=20150623 header.b=OI38UTfP; dmarc=none; spf=pass (mx1.freebsd.org: domain of pestaub@gmail.com designates 2607:f8b0:4864:20::e43 as permitted sender) smtp.mailfrom=pestaub@gmail.com X-Spamd-Result: default: False [-0.45 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.87)[-0.874,0]; R_DKIM_ALLOW(-0.20)[staub-us.20150623.gappssmtp.com:s=20150623]; NEURAL_HAM_LONG(-1.00)[-0.995,0]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; TO_DN_NONE(0.00)[]; URI_COUNT_ODD(1.00)[1]; RCPT_COUNT_ONE(0.00)[1]; DMARC_NA(0.00)[staub.us]; DKIM_TRACE(0.00)[staub-us.20150623.gappssmtp.com:+]; RCVD_IN_DNSWL_NONE(0.00)[3.4.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; HTTP_TO_IP(1.00)[]; IP_SCORE(-0.38)[ip: (2.47), ipnet: 2607:f8b0::/32(-2.34), asn: 15169(-2.00), country: US(-0.05)]; FORGED_SENDER(0.30)[phil@staub.us,pestaub@gmail.com]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; FROM_NEQ_ENVFROM(0.00)[phil@staub.us,pestaub@gmail.com]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Nov 2019 19:02:43 -0000 Further investigation suggests that I needed to add client-config-dir to my OpenVPN server.conf file and create a client file with ifconfig-push in it to eliminate the 'bad source address" warning. However, I am still unable to get the NAT to work. I've been staring at the PF chapter in the handbook, and I can't get a good handle on how the example they provide works so that I can modify it for my use. Here is the example I'm trying to parse: ext_if = "xl0" # macro for external interface - use tun0 for PPPoE int_if = "xl1" # macro for internal interface localnet = $int_if:network # ext_if IP address could be dynamic, hence ($ext_if) nat on $ext_if from $localnet to any -> ($ext_if) block all pass from { lo0, $localnet } to any keep state In my case, I'm using "tun0" as the internal interface and "em0" as the external interface. I also specify the (fixed) address of my server on my local address. However, this is clearly not what is needed, because the 'block all' locks out everything trying to access the server machine from other machines on the local net. So I removed the 'block all'. I also made a couple of other modifications. Here's what I have now: ext_if = "em0" # macro for external interface - use tun0 for PPPoE int_if = "tun0" # macro for internal interface localnet = $int_if:network nat on $ext_if from $localnet to any -> pass from $localnet to any keep state This seems to be working, except that I get some warnings in the OpenVPN log about "PID_ERR replay-window backtrack occurred [1] [SSL-0]" Three questions: 1. Is this error something I need to be concerned about? 2. Since the router I have between the server machine and the internet has a firewall, do I need to worry about any other rules in the pf ruleset? (i.e. is it safe to use my modified version of the handbook example?) 3. I don't intend to change the server machine's IP address, so I eliminated the "($ext_if)" and replaced it with the server's static address. Using the ($ext_if) and running pfctl -vnf /etc/pf.conf results in reporting "(em0) round robin" instead of the actual IP of the server. This seems to work, but is it really necessary? Thanks, Phil On Thu, Nov 7, 2019 at 3:48 PM Phil Staub wrote: > I'm attempting to set up OpenVPN on a FreeBSD 12.1-RELEASE box. I'd like > for it to allow remote clients to access the internet via the server box's > connection. It appears that OpenVPN is working, because new connections are > logged, but I also get this message in the log: > > Thu Nov 7 15:43:17 2019 us=289157 han/67.175.144.37:61307 MULTI: bad > source address from client [::], packet dropped > > And the attached client doesn't have internet access. > > SO, I'm assuming I need to set up PF to NAT between tun0 and em0. > > I tried looking in the FreeBSD handbook in the chapter on PF, but that's > like drinking from a fire hose, and I'm sure there is much more detail > there than I need to know. > > Can someone point me to a concise description of how to achieve this? > > Thanks, > Phil > >