Date: Sun, 15 Nov 2009 22:23:13 +0100 From: =?ISO-8859-1?B?QmFs4XpzIE3hdOlmZnk=?= <repcsike@gmail.com> To: freebsd-pf <freebsd-pf@freebsd.org> Subject: PF NAT problems. Message-ID: <c4b701070911151323n1e7c8750tfa94542c05cd9ee3@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hello, I'm struggling with pf nat to work when connecting to ipsec vpns, when I have a pf and pfnat gateway on my LAN side. Sometimes it's ok to some networks, but most of the time it's not. Usually I'm using Cisco vpn client, and connecting to cisco ASA devices and sometimes pptp and l2tp vpn with the client from Windows XP. I tried passing ipsec relevant packets through the pf fw but if I use ipnat it works perfectly without any added rules. Somewhere I found that I have to statically map port 500 for pf to map that to the external interface as well(and don't change port number), but I couldn't make that work. Relevant part of my pf.conf: I just pasted the macros, because I think the problem lies somewhere else. prv_ads = 192.168.0.0/24 nat on $ext_if proto $nat_p from $prv_ads to any -> ($ext_if:0) #we need this to work with dyn ip and pppoe tun0 ##Some port forwarding rules deleted from here... rdr-anchor miniupnpd ipnat.conf: map tun0 192.168.0.0/24 -> 0/32 proxy port ftp ftp/tcp map tun0 192.168.0.0/24 -> 0/32 portmap tcp/udp 40000:65000 map tun0 192.168.0.0/24 -> 0/32 #some port redirection deleted from here. Thanks for any help, B.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?c4b701070911151323n1e7c8750tfa94542c05cd9ee3>