Date: Mon, 21 Jul 2014 11:18:45 +0200 From: "Felix J. Ogris" <fjo-lists@ogris.de> To: Zeus Panchenko <zeus@ibs.dn.ua> Cc: freebsd-pf@freebsd.org Subject: Re: nat lan to tun (nat before vpn) Message-ID: <833017AA-8EF0-4FE1-88CA-F8CCF5B9FEDA@ogris.de> In-Reply-To: <20140721114257.7299@smtp.new-ukraine.org> References: <20140721114257.7299@smtp.new-ukraine.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 21 Jul 2014, at 10:42, Zeus Panchenko <zeus@ibs.dn.ua> wrote:
> hi,
>=20
> just was stumbled on the subject ... please, may somebody advise what =
am
> I missing?
Is net.inet.ip.forwarding set to 1?
> I have:
>=20
> FreeBSD 10.0-STABLE #0 r261303
>=20
> BoxA:
> LAN: 192.168.0.1/24
> TUN (OpenVPN): 172.16.10.1
>=20
> with route to 172.16/12 set via tun
>=20
> BoxB:
> LAN: 192.168.0.2/24
>=20
> with route to 172.16/12 set via boxA lan
>=20
> I need:
> to give access to 172.16/12 for boxB via nat on boxA
>=20
> in boxA pf.conf:
>=20
> nat on tun1 from 192.168.0.2 to 172.16/12 -> 172.16.10.1
> pass in log on tun1
Should be "pass out" or just "pass"
Is the OpenVPN tunnel up? Do you have a rule on the underlying interface =
to pass out udp to port 1194?
> pass in log (all) on $if_lan inet proto { tcp udp } from 192.168.0.2
>=20
> when I spawn traffic to 172.16/12 from boxB I can see packets on lan
> boxA but nothin is on boxA tun ...
>=20
> so, can I do that this way or I need something yet? is it =
nat-before-vpn
> case which is not implemented in FreeBSD pf yet (at last it was so)?
>=20
> --
> Zeus V. Panchenko jid:zeus@im.ibs.dn.ua
> IT Dpt., I.B.S. LLC GMT+2 (EET)
>=20
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?833017AA-8EF0-4FE1-88CA-F8CCF5B9FEDA>