From owner-freebsd-questions@freebsd.org Tue Sep 8 21:34:34 2015 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 70807A00A52 for ; Tue, 8 Sep 2015 21:34:34 +0000 (UTC) (envelope-from carlopmart@gmail.com) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 4FD451355 for ; Tue, 8 Sep 2015 21:34:34 +0000 (UTC) (envelope-from carlopmart@gmail.com) Received: by mailman.ysv.freebsd.org (Postfix) id 4D480A00A51; Tue, 8 Sep 2015 21:34:34 +0000 (UTC) Delivered-To: questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4CE01A00A50 for ; Tue, 8 Sep 2015 21:34:34 +0000 (UTC) (envelope-from carlopmart@gmail.com) Received: from mail-wi0-x232.google.com (mail-wi0-x232.google.com [IPv6:2a00:1450:400c:c05::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id ED6AE1353 for ; Tue, 8 Sep 2015 21:34:33 +0000 (UTC) (envelope-from carlopmart@gmail.com) Received: by wiclk2 with SMTP id lk2so262485wic.1 for ; Tue, 08 Sep 2015 14:34:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; bh=ZdeP8Zoi6lbCWj0EDG605QduvtRLuN427Evg5Umwd6s=; b=rsHmcmzo1g9DvWyCkTNsrXWfY9ik/yJansWmgxbcvmvuvulO8a70vLr8QJiVmLqCut RfsywYrrx4CAFzNJAlqAD0DYGr84gqwCyKTwMUQez5JMnrxHvXZ0huTUPWAQmh28MnDU pDW1V7HfUGq+UAOQsOMoFBFptP4ptS92EhueYhOZteZ5EhranFBbQNxnvCG06muagMsV LH5u52Jm6sZp+qz/sPbvGe6Urpf49GXC60n1znd8+jVkVOVkrCM7oRImpNKUfJ9Tg1IE Unq4AF+jXaZx+Zlb8+ORY9CHcnZcpshKE8zhRPdnTHXBINsEcbldLWU7woS9ativ5+pf EWTQ== X-Received: by 10.194.113.1 with SMTP id iu1mr30296805wjb.158.1441748072489; Tue, 08 Sep 2015 14:34:32 -0700 (PDT) Received: from [172.22.55.1] (139.Red-88-0-27.dynamicIP.rima-tde.net. [88.0.27.139]) by smtp.googlemail.com with ESMTPSA id lg6sm6851039wjb.10.2015.09.08.14.34.31 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 08 Sep 2015 14:34:31 -0700 (PDT) Message-ID: <55EF5460.4040105@gmail.com> Date: Tue, 08 Sep 2015 21:34:24 +0000 From: "C.L. Martinez" User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Icedove/31.8.0 MIME-Version: 1.0 To: questions@freebsd.org Subject: Using openconnect with ipfw+natd Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Sep 2015 21:34:34 -0000 Hi all, I have installed a freebsd (10.2 p2, fully patched) vm under kvm host to use as a ssl-vpn client to connect to several Juniper SSL-VPN devices (of course, not at the same time). I need to do NAT in this freebsd vm to allow others vm's behind it to access to other hosts behind Juniper appliances, but it doesn't works. In my rc.conf I put the following: ### Firewall configuration options: ### gateway_enable="YES" firewall_enable="YES" firewall_type="open" firewall_logging="NO" natd_enable="YES" natd_flags="-dynamic -m" My actual ipfw rules: 00050 14 1064 divert 8668 ip from any to any in via tun0 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 0 0 deny ip from any to ::1 00500 0 0 deny ip from ::1 to any 00600 0 0 allow ipv6-icmp from :: to ff02::/16 00700 0 0 allow ipv6-icmp from fe80::/10 to fe80::/10 00800 0 0 allow ipv6-icmp from fe80::/10 to ff02::/16 00900 0 0 allow ipv6-icmp from any to any ip6 icmp6types 1 01000 0 0 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136 65000 1605 241150 allow ip from any to any 65535 0 0 deny ip from any to any ... but nat doesn't works and this Freebsd vm reaches all hosts behind Juniper appliances What am I doing wrong?? Thanks.