From owner-freebsd-pf@FreeBSD.ORG Sun Nov 15 21:23:14 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BC372106566C for ; Sun, 15 Nov 2009 21:23:14 +0000 (UTC) (envelope-from repcsike@gmail.com) Received: from mail-bw0-f213.google.com (mail-bw0-f213.google.com [209.85.218.213]) by mx1.freebsd.org (Postfix) with ESMTP id 4EE258FC19 for ; Sun, 15 Nov 2009 21:23:14 +0000 (UTC) Received: by bwz5 with SMTP id 5so5358692bwz.3 for ; Sun, 15 Nov 2009 13:23:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=vBwOb1gBjLuU2UjzbfSjVLP9kTZAVJ5TrXwCXQgPLC0=; b=naAcwg7/fAkPAYtXT7rdZ8lx3YA7/8gJt6u07WstCJM9YWDODcEGX8RFz/cGDPkCTz /J4Ge6K5AAd3TBd58DF5DcIC/SNxPVxGkalZUqnDvcdIEZek36LWHOBgRK3DG4IByie3 bfTAZYT00TTzYPFXVBaVnuEO3FQHnnR0w3ZpY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=LqLqM1COxH+ECU3nvV0yz5YDpojF4DmjJekDtZnskyPc5faM6anQ6PRt0SrSrFFs0S KPSqn8a0NXF8HSl0V0Ue5TidXw8ossIxQVBxZ/E2HGC0WuEjmIV60VLqb4dj+ZyHEiCZ icc3eBhOLYFEcKWh3rBD+SQ3YF/W5ks0gQ1Us= MIME-Version: 1.0 Received: by 10.213.0.135 with SMTP id 7mr663918ebb.65.1258320193049; Sun, 15 Nov 2009 13:23:13 -0800 (PST) Date: Sun, 15 Nov 2009 22:23:13 +0100 Message-ID: From: =?ISO-8859-1?B?QmFs4XpzIE3hdOlmZnk=?= To: freebsd-pf Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: PF NAT problems. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Nov 2009 21:23:14 -0000 Hello, I'm struggling with pf nat to work when connecting to ipsec vpns, when I have a pf and pfnat gateway on my LAN side. Sometimes it's ok to some networks, but most of the time it's not. Usually I'm using Cisco vpn client, and connecting to cisco ASA devices and sometimes pptp and l2tp vpn with the client from Windows XP. I tried passing ipsec relevant packets through the pf fw but if I use ipnat it works perfectly without any added rules. Somewhere I found that I have to statically map port 500 for pf to map that to the external interface as well(and don't change port number), but I couldn't make that work. Relevant part of my pf.conf: I just pasted the macros, because I think the problem lies somewhere else. prv_ads = 192.168.0.0/24 nat on $ext_if proto $nat_p from $prv_ads to any -> ($ext_if:0) #we need this to work with dyn ip and pppoe tun0 ##Some port forwarding rules deleted from here... rdr-anchor miniupnpd ipnat.conf: map tun0 192.168.0.0/24 -> 0/32 proxy port ftp ftp/tcp map tun0 192.168.0.0/24 -> 0/32 portmap tcp/udp 40000:65000 map tun0 192.168.0.0/24 -> 0/32 #some port redirection deleted from here. Thanks for any help, B.