First off, thanks for all the suggestions from both of you. My email filters were messed up causing me to miss your replies.
On 19 November 2012 18:56, David DeSimone <[email protected]> wrote: > If I understand the poster's problem, it is that there could be whole > worlds of other networks behind $int_if, and he is not able to predict > what IP addresses should be used to match that traffic; in fact, it is > merely the fact that the traffic is arriving on $int_if that indicates > it shoudl be NAT'd. ^^ this is the problem exactly. Here's the config I have: tun_if = "tap3" ext_if = "xn0" set skip on lo nat on $ext_if from !$ext_if:network to any -> $ext_if pass in on $tun_if from $tun_if:network to any keep state pass out on $ext_if from any to any keep state I've attached a simple network diagram. If I ping google.com from a.b.c.d the icmp traffic on 'server' goes out ext_if NAT'd, then comes back from google.com, but then 'server' is trying to send it back out ext_if again because 'server''s default route is the Internet. I can get the return traffic to go down the tunnel by manually adding a route on 'server' to send traffic for a.b.c.0/24 down the tunnel, but then I need to be aware of what all the networks behind 'client' are, and I don't want to have to do that. Thanks again for all the ideas/input! -Peter On Mon, Nov 19, 2012 at 7:46 PM, Kevin Wilcox <[email protected]>wrote: > On 19 November 2012 18:56, David DeSimone <[email protected]> wrote: > > > This doesn't seem right, because even traffic coming in via the external > > interface will have its target IP changed to be the router, even if > > it is destined for some other place. Previously you were using "from > > $int_if:network" to prevent this from happening to other traffic, but > > without that restriction, every packet would be subject to NAT. > > My assumption was that the traffic coming in on the external interface > is already destined for the outside IP of the router, unless he's > doing some really funky stuff on both sides ;) > > It sounded like he wanted to NAT anything coming from the inside > interface and then anything on the outside that wasn't return NAT > traffic was supposed to terminate on the router, but I've been known > to have clogged ears and awfully poor eyesight. > > kmw >
_______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[email protected]"
