From owner-freebsd-pf@freebsd.org Tue Nov 12 20:01:33 2019 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6C4A91B92F0 for ; Tue, 12 Nov 2019 20:01:33 +0000 (UTC) (envelope-from freebsd-database@pp.dyndns.biz) Received: from keymaster.local (ns1.xn--wesstrm-f1a.se [IPv6:2a00:d880:5:1b9::8526]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "keymaster.pp.dyndns.biz", Issuer "keymaster.pp.dyndns.biz" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 47CJXr1HHRz42fd for ; Tue, 12 Nov 2019 20:01:31 +0000 (UTC) (envelope-from freebsd-database@pp.dyndns.biz) Received: from [192.168.69.69] ([192.168.69.69]) by keymaster.local (8.15.2/8.15.2) with ESMTP id xACK1QXD006976 for ; Tue, 12 Nov 2019 21:01:28 +0100 (CET) (envelope-from freebsd-database@pp.dyndns.biz) Subject: Re: NAT for use with OpenVPN References: <1cebcd5e-d9ed-53db-2d01-c8794933d1c4@pp.dyndns.biz> <80ec074d-7a5d-7016-57e4-f607384d0e20@pp.dyndns.biz> <6bc9b8ce-3ab3-2b57-510d-67ace0a90259@pp.dyndns.biz> <30f8da8a-de96-f737-fef8-820c6ae2ed16@pp.dyndns.biz> <7f1fcc2d-4833-7fda-c181-a3d15b16f9ee@pp.dyndns.biz> <0b13ae53-b211-ad2c-1447-225860f73d3a@pp.dyndns.biz> From: =?UTF-8?Q?Morgan_Wesstr=c3=b6m?= To: freebsd-pf@freebsd.org Message-ID: Date: Tue, 12 Nov 2019 21:01:25 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 47CJXr1HHRz42fd X-Spamd-Bar: + Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of freebsd-database@pp.dyndns.biz has no SPF policy when checking 2a00:d880:5:1b9::8526) smtp.mailfrom=freebsd-database@pp.dyndns.biz X-Spamd-Result: default: False [1.74 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.74)[-0.740,0]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; IP_SCORE(-0.05)[asn: 198203(-0.25), country: NL(0.02)]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; TO_DN_NONE(0.00)[]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_TLS_LAST(0.00)[]; NEURAL_SPAM_LONG(0.32)[0.321,0]; HFILTER_HELO_IP_A(1.00)[keymaster.local]; R_SPF_NA(0.00)[]; HFILTER_HELO_NORES_A_OR_MX(0.30)[keymaster.local]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:198203, ipnet:2a00:d880::/32, country:NL]; MID_RHS_MATCH_FROM(0.00)[]; DMARC_NA(0.00)[pp.dyndns.biz]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Nov 2019 20:01:33 -0000 > This makes me smile! :-) Hehe, I didn't intentionally try to insult you. Just wasn't sure of your background. :) Personally I started off with IBM DOS 1.0 in the mid 80s and worked as a PC/network technician for 30 years. I'll never let go of my beloved command prompt. Back to business though. The more I read on Netgear's community forum, the more posts I find saying that Netgear's stock firmware only NAT on its own subnet and not on subnets hidden behind other routers. The behaviour you describe is consistent with this information. If there's a DD-WRT or OpenWRT firmware for your router, that would be a good option. It would provide you with the full functionality you need and you could also run the VPN server on the Netgear router again. As a worst case scenario I guess we could do NAT with pf between 10.8.0.0/24 and 192.168.1.0/24 but that would be an ugly solution. /Morgan