From owner-freebsd-pf@FreeBSD.ORG  Wed Dec  5 15:00:18 2012
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id B552E1C2
 for <freebsd-pf@freebsd.org>; Wed,  5 Dec 2012 15:00:18 +0000 (UTC)
 (envelope-from peter@aoeu.ca)
Received: from hapkido.dreamhost.com (hapkido.dreamhost.com [66.33.216.122])
 by mx1.freebsd.org (Postfix) with ESMTP id 6FFCF8FC17
 for <freebsd-pf@freebsd.org>; Wed,  5 Dec 2012 15:00:18 +0000 (UTC)
Received: from homiemail-a42.g.dreamhost.com (caibbdcaaaaf.dreamhost.com
 [208.113.200.5])
 by hapkido.dreamhost.com (Postfix) with ESMTP id 6041CDD453
 for <freebsd-pf@freebsd.org>; Wed,  5 Dec 2012 06:51:43 -0800 (PST)
Received: from homiemail-a42.g.dreamhost.com (localhost [127.0.0.1])
 by homiemail-a42.g.dreamhost.com (Postfix) with ESMTP id 0D91E68C072
 for <freebsd-pf@freebsd.org>; Wed,  5 Dec 2012 06:51:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=aoeu.ca; h=mime-version
 :in-reply-to:references:date:message-id:subject:from:to:cc:
 content-type; s=aoeu.ca; bh=UonjPjq1KousO4hCSHL7kZjl7nc=; b=h10f
 WSQRCTvpx1ZTeHvLYE61vrBozKUakFOkzVCQ3TlVTDxutTKpR8xZ0xPyAoo1+l0X
 OR5uvXx8GLLITn4pTbz+fQgSHCiVcYKF/JZcsBQuck/x9xHbAGCYH0joYcrvOg0M
 O9auGzSLyIcbGppX2Knb5iFt6YK1RgG6FfDTWdc=
Received: from mail-pa0-f54.google.com (mail-pa0-f54.google.com
 [209.85.220.54]) (using TLSv1 with cipher RC4-SHA (128/128 bits))
 (No client certificate requested)
 (Authenticated sender: peter@aoeu.ca)
 by homiemail-a42.g.dreamhost.com (Postfix) with ESMTPSA id B6EFF68C06C
 for <freebsd-pf@freebsd.org>; Wed,  5 Dec 2012 06:51:36 -0800 (PST)
Received: by mail-pa0-f54.google.com with SMTP id bi5so3684719pad.13
 for <freebsd-pf@freebsd.org>; Wed, 05 Dec 2012 06:51:36 -0800 (PST)
MIME-Version: 1.0
Received: by 10.68.254.137 with SMTP id ai9mr49216854pbd.21.1354719096427;
 Wed, 05 Dec 2012 06:51:36 -0800 (PST)
Received: by 10.68.247.105 with HTTP; Wed, 5 Dec 2012 06:51:36 -0800 (PST)
In-Reply-To: <CAFpgnrPo8Nx8AT8PujqNXsKk3UUTB5hZWyBATX-m9oZ1rWQY1A@mail.gmail.com>
References: <CAEDV4ypAo21-4KYws0LTxC+XSNNtSmWvMpvFGro6BqNH2z==Wg@mail.gmail.com>
 <CAFpgnrO3o1==XtxDK__KmEhX1C947DHhj5N_NptKomFBba3fzQ@mail.gmail.com>
 <CAEDV4ypG9vA4iDVkHD2gSJ3J81DNSMjjoU2_98Jd-2V=nXHz7g@mail.gmail.com>
 <CAFpgnrO9r_L1syR4STqvNJHTQ2cCFo6U711JNc_Uu-_eEkTQfg@mail.gmail.com>
 <CAFpgnrN4UWHrkS1sGAqy6jf4vL+Xi9b+oCfbZEF_T=xWt-D6tQ@mail.gmail.com>
 <20121119235601.GK2692@verio.net>
 <CAFpgnrPo8Nx8AT8PujqNXsKk3UUTB5hZWyBATX-m9oZ1rWQY1A@mail.gmail.com>
Date: Wed, 5 Dec 2012 09:51:36 -0500
Message-ID: <CAEDV4yqZgbxhACTZtv6CpF8zFDhE7YSFJaw3FHvtirvnzJNvhA@mail.gmail.com>
Subject: Re: Routing return NAT traffic based on interface
From: Peter McAlpine <peter@aoeu.ca>
To: Kevin Wilcox <kevin.wilcox@gmail.com>
Content-Type: multipart/mixed; boundary=047d7b2e0a1583552804d01c1ea5
X-Content-Filtered-By: Mailman/MimeDel 2.1.14
Cc: fox@verio.net, freebsd-pf@freebsd.org
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Dec 2012 15:00:18 -0000

--047d7b2e0a1583552804d01c1ea5
Content-Type: text/plain; charset=ISO-8859-1

First off, thanks for all the suggestions from both of you. My email
filters were messed up causing me to miss your replies.

On 19 November 2012 18:56, David DeSimone <fox@verio.net> wrote:
> If I understand the poster's problem, it is that there could be whole
> worlds of other networks behind $int_if, and he is not able to predict
> what IP addresses should be used to match that traffic; in fact, it is
> merely the fact that the traffic is arriving on $int_if that indicates
> it shoudl be NAT'd.
^^ this is the problem exactly.

Here's the config I have:
tun_if = "tap3"
ext_if = "xn0"
set skip on lo
nat on $ext_if from !$ext_if:network to any -> $ext_if
pass in on $tun_if from $tun_if:network to any keep state
pass out on $ext_if from any to any keep state

I've attached a simple network diagram. If I ping google.com from a.b.c.d
the icmp traffic on 'server' goes out ext_if NAT'd, then comes back from
google.com, but then 'server' is trying to send it back out ext_if again
because 'server''s default route is the Internet.

I can get the return traffic to go down the tunnel by manually adding a
route on 'server' to send traffic for a.b.c.0/24 down the tunnel, but then
I need to be aware of what all the networks behind 'client' are, and I
don't want to have to do that.

Thanks again for all the ideas/input!
-Peter

On Mon, Nov 19, 2012 at 7:46 PM, Kevin Wilcox <kevin.wilcox@gmail.com>wrote:

> On 19 November 2012 18:56, David DeSimone <fox@verio.net> wrote:
>
> > This doesn't seem right, because even traffic coming in via the external
> > interface will have its target IP changed to be the router, even if
> > it is destined for some other place.  Previously you were using "from
> > $int_if:network" to prevent this from happening to other traffic, but
> > without that restriction, every packet would be subject to NAT.
>
> My assumption was that the traffic coming in on the external interface
> is already destined for the outside IP of the router, unless he's
> doing some really funky stuff on both sides ;)
>
> It sounded like he wanted to NAT anything coming from the inside
> interface and then anything on the outside that wasn't return NAT
> traffic was supposed to terminate on the router, but I've been known
> to have clogged ears and awfully poor eyesight.
>
> kmw
>

--047d7b2e0a1583552804d01c1ea5--