Date: Wed, 13 Nov 2019 15:45:20 -0500 From: Phil Staub <phil@staub.us> To: =?UTF-8?Q?Morgan_Wesstr=C3=B6m?= <freebsd-database@pp.dyndns.biz> Cc: freebsd-pf@freebsd.org Subject: Re: NAT for use with OpenVPN Message-ID: <CAMnCm8i46JOW-bGOutRyxUtJspeSkz4ZjfAQ=XGe_KtbeF387w@mail.gmail.com> In-Reply-To: <cf52cc1b-c979-155c-604b-8918ac5fc2d6@pp.dyndns.biz> References: <mailman.6.1573387200.62111.freebsd-pf@freebsd.org> <CAMnCm8juj8uPuqfDXWu4rOPjbiK0xrsUUrQn002R639RepQOWg@mail.gmail.com> <7f1fcc2d-4833-7fda-c181-a3d15b16f9ee@pp.dyndns.biz> <CAMnCm8gn3y7ai95%2BtkwdZs2qYndzQaNdpHev4ZdNLyd-bOY4iQ@mail.gmail.com> <0b13ae53-b211-ad2c-1447-225860f73d3a@pp.dyndns.biz> <CAMnCm8jZQi-UKm_-hF8WS0cofq0OWWP_d5No1AbOP8_KgQE5ZA@mail.gmail.com> <baa548e5-7dc3-05cf-0275-902d0193fc21@pp.dyndns.biz> <CAMnCm8iZ4iLJYOUFFpoTpF_=9xpG2=MN77xi%2BtGaSqumHeeqkQ@mail.gmail.com> <8ba7182d-8c4e-e10e-467b-6cf447490151@pp.dyndns.biz> <CAMnCm8gA_V1trdZtpidms54cmf4TL=R2BZ2MP52fJKrjndxtzA@mail.gmail.com> <fa9054ac-b22f-b873-0749-742b73100dba@pp.dyndns.biz> <CAMnCm8gN9aYgsJQYCuppGQ1M-YPwe1y7kaQCeEcDChrogsXj0w@mail.gmail.com> <b574e8e2-a921-99b8-2d2f-b3dc70341ce3@pp.dyndns.biz> <CAMnCm8gS40S27uOHYiKPp5E2hZhg=FknxTKxSsuH6vgOBD5Z9g@mail.gmail.com> <ef17181f-61b3-c2eb-9ebb-49e437ceea76@pp.dyndns.biz> <CAMnCm8hpTmww-pV%2BFbOcMJwk%2Bz1_bSs%2BcVJg5eu5zm84K8RPSA@mail.gmail.com> <cf52cc1b-c979-155c-604b-8918ac5fc2d6@pp.dyndns.biz>
next in thread | previous in thread | raw e-mail | index | archive | help
I believe I'm getting close. I found a tutorial at https://www.howtoforge.com/nat_iptables ... that gives identifies a couple rules to enable IP Forwarding and Masquerading: iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERAD= E iptables --append FORWARD --in-interface eth1 -j ACCEPT This results in the following: # iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- anywhere anywhere # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination GUSTER tcp -- anywhere anywhere tcp dpt:80 GUSTER tcp -- anywhere anywhere tcp dpt:443 ACCEPT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain GUSTER (2 references) target prot opt source destination # I'm not sure about the ACCEPT rule. I think it might be too general, but I'll do some more research on that. I am now able to ping 8.8.8.8 from my phone, and I used 'whatismyip.com' to verify that it sees my router's public IP address. I also have a handle on where to put this so that it survives a router rebo= ot. One of the comments in another tutorial I was reading says that the MASQUERADE rule is resource intensive, but if I understand it correctly, the only alternative would be to put a specific rule in place for each client. I don't think I want to do that Comments? Phil On Wed, Nov 13, 2019 at 11:03 AM Morgan Wesstr=C3=B6m < freebsd-database@pp.dyndns.biz> wrote: > > # tcpdump -nvvi eth0 icmp > > tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size > > 65535 bytes > > 15:22:29.614953 IP (tos 0x0, ttl 62, id 5638, offset 0, flags [DF], > > proto ICMP (1), length 84) > > 10.8.0.8 > 8.8.8.8 <http://8.8.8.8>: ICMP echo request, id 13, seq > > 1, length 64 > > Are you thinking that the ping should be coming from 192.168.1.200 (my > > OpenVPN server machine)? If not, how else would you know whether the > > address is being NATed? > > The packet is NATed when your Netgear router exchange the source ip > address 10.8.0.8 with its own public external ip address 67.175.144.37. > > I you ping from any machine on your 192.168.1.0/24 subnet you will see > those packets as "67.175.144.37 > 8.8.8.8" on your external interface > regardless of what ip is the source on the LAN. This is what should've > been the case also from 10.8.0.0/24 if the router was doing its job > properly. > > If you listen with tcpdump on the internal interface, before NAT takes > place, you will still see the original private ip addresses as source > addresses. > > Private ip addresses (10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16) > can't be routed on the Internet (RFC1918). NAT means that when your > router receives a packet on its internal interface, destined for the > Internet, with one of those private ip addresses in the source field, it > exchanges it with its own external ip before forwarding it to your ISP. > It then keeps a table of what internal ip communicates with what ip on > the Internet. When a reply returns it's matched against this table and > if the router finds that this packet is meant for a computer on your LAN > it will now reverse the NAT procedure and exchange its external ip > (which is now the destination address) with the correct internal ip and > put the packet on your LAN. > > The reason you can't see pings from your internal ips to your external > ip on the external interface is simply because those packets are never > actually put on that interface physically. When those pings reach the > internal interface, the ip stack in the router realizes that the ping is > meant for itself and immediately responds on the internal interface. > tcpdump listens to what's actually put on the physical interface and > won't see those packets while listening on eth0. Everything you have > shown me so far is consistent with our suspicion that the Netgear router > only provides NAT for 192.168.1.0/24. > > I have only rudimentary knowledge of iptables but I'm convinced your > problem will be solved if you can find a way to add a NAT rule for > 10.8.0.0/24 or better yet, for any subnet existing on your LAN. > > /Morgan > _______________________________________________ > freebsd-pf@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAMnCm8i46JOW-bGOutRyxUtJspeSkz4ZjfAQ=XGe_KtbeF387w>