From owner-freebsd-pf@freebsd.org  Wed Nov 13 21:13:29 2019
Return-Path: <owner-freebsd-pf@freebsd.org>
Delivered-To: freebsd-pf@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id B51581BBFB5
 for <freebsd-pf@mailman.nyi.freebsd.org>; Wed, 13 Nov 2019 21:13:29 +0000 (UTC)
 (envelope-from freebsd-database@pp.dyndns.biz)
Received: from keymaster.local (ns1.xn--wesstrm-f1a.se
 [IPv6:2a00:d880:5:1b9::8526])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 server-signature RSA-PSS (4096 bits)
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "keymaster.pp.dyndns.biz",
 Issuer "keymaster.pp.dyndns.biz" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 47Cy5N0Lg2z3QNr
 for <freebsd-pf@freebsd.org>; Wed, 13 Nov 2019 21:13:27 +0000 (UTC)
 (envelope-from freebsd-database@pp.dyndns.biz)
Received: from [192.168.69.69] ([192.168.69.69])
 by keymaster.local (8.15.2/8.15.2) with ESMTP id xADLDNa5012148
 for <freebsd-pf@freebsd.org>; Wed, 13 Nov 2019 22:13:23 +0100 (CET)
 (envelope-from freebsd-database@pp.dyndns.biz)
Subject: Re: NAT for use with OpenVPN
References: <mailman.6.1573387200.62111.freebsd-pf@freebsd.org>
 <CAMnCm8gn3y7ai95+tkwdZs2qYndzQaNdpHev4ZdNLyd-bOY4iQ@mail.gmail.com>
 <0b13ae53-b211-ad2c-1447-225860f73d3a@pp.dyndns.biz>
 <CAMnCm8jZQi-UKm_-hF8WS0cofq0OWWP_d5No1AbOP8_KgQE5ZA@mail.gmail.com>
 <baa548e5-7dc3-05cf-0275-902d0193fc21@pp.dyndns.biz>
 <CAMnCm8iZ4iLJYOUFFpoTpF_=9xpG2=MN77xi+tGaSqumHeeqkQ@mail.gmail.com>
 <8ba7182d-8c4e-e10e-467b-6cf447490151@pp.dyndns.biz>
 <CAMnCm8gA_V1trdZtpidms54cmf4TL=R2BZ2MP52fJKrjndxtzA@mail.gmail.com>
 <fa9054ac-b22f-b873-0749-742b73100dba@pp.dyndns.biz>
 <CAMnCm8gN9aYgsJQYCuppGQ1M-YPwe1y7kaQCeEcDChrogsXj0w@mail.gmail.com>
 <b574e8e2-a921-99b8-2d2f-b3dc70341ce3@pp.dyndns.biz>
 <CAMnCm8gS40S27uOHYiKPp5E2hZhg=FknxTKxSsuH6vgOBD5Z9g@mail.gmail.com>
 <ef17181f-61b3-c2eb-9ebb-49e437ceea76@pp.dyndns.biz>
 <CAMnCm8hpTmww-pV+FbOcMJwk+z1_bSs+cVJg5eu5zm84K8RPSA@mail.gmail.com>
 <cf52cc1b-c979-155c-604b-8918ac5fc2d6@pp.dyndns.biz>
 <CAMnCm8i46JOW-bGOutRyxUtJspeSkz4ZjfAQ=XGe_KtbeF387w@mail.gmail.com>
To: freebsd-pf@freebsd.org
From: =?UTF-8?Q?Morgan_Wesstr=c3=b6m?= <freebsd-database@pp.dyndns.biz>
Message-ID: <5fce41df-37fb-fc8c-be80-f47dfd0d04ad@pp.dyndns.biz>
Date: Wed, 13 Nov 2019 22:13:23 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.2.1
MIME-Version: 1.0
In-Reply-To: <CAMnCm8i46JOW-bGOutRyxUtJspeSkz4ZjfAQ=XGe_KtbeF387w@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-GB
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 47Cy5N0Lg2z3QNr
X-Spamd-Bar: +
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=none (mx1.freebsd.org: domain of freebsd-database@pp.dyndns.biz has no SPF
 policy when checking 2a00:d880:5:1b9::8526)
 smtp.mailfrom=freebsd-database@pp.dyndns.biz
X-Spamd-Result: default: False [1.91 / 15.00]; ARC_NA(0.00)[];
 NEURAL_HAM_MEDIUM(-0.41)[-0.407,0]; FROM_HAS_DN(0.00)[];
 TO_MATCH_ENVRCPT_ALL(0.00)[];
 IP_SCORE(-0.04)[asn: 198203(-0.21), country: NL(0.02)];
 MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[];
 PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org];
 AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1];
 RCVD_TLS_LAST(0.00)[]; NEURAL_SPAM_LONG(0.15)[0.154,0];
 HFILTER_HELO_IP_A(1.00)[keymaster.local]; R_SPF_NA(0.00)[];
 HFILTER_HELO_NORES_A_OR_MX(0.30)[keymaster.local];
 FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[];
 MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:198203, ipnet:2a00:d880::/32, country:NL];
 MID_RHS_MATCH_FROM(0.00)[]; DMARC_NA(0.00)[pp.dyndns.biz];
 RCVD_COUNT_TWO(0.00)[2]
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Nov 2019 21:13:29 -0000

> |iptables --table nat --append POSTROUTING --out-interface eth0 -j 
> MASQUERADE

As I understand iptables, this is the normal/only way to provide NAT for 
any subnet.

> ||One of the comments in another tutorial I was reading says that the 
> MASQUERADE rule is resource intensive, but if I understand it correctly, 
> the only alternative would be to put a specific rule in place for each 
> client. I don't think I want to do that

I wonder what their reference was. When you're using iptables you only 
have MASQUERADE to chose from. Even my 20 year old Netgear RT-314 did 
NAT without problems...

> ||Comments?

Well, I am concerned we couldn't identify what mechanism was responsible 
for the already working NAT for 192.168.1.0/24. We wouldn't want to end 
up with two competing mechanisms activated at the same time and the rule 
you added will provide NAT for 10.8.0.0/24 as well as 192.168.1.0/24 - 
the latter which was already working.

There should be init scripts on that router to start all services. Maybe 
they can give a clue on what's going on and how Netgear choses to 
activate their services.

Whatever you do, just verify that the router's admin interface is not 
accessible from the Internet after you've added your rules!

/Morgan