> I'm, running OpenBSD 5.8, npppd, mpath and have tried the same on 5.7 and
5.3.
> npppd is works fine and clients can connect using windows pptp client.
> The Client has the pptp connection set as default gateway and can
> access the internet through the vpn gateway but cannot access the LAN
network.
> Traffic arrives on the pppx0 interface but never get forwarded to the
> LAN ip address.
Can you see the traffic for the LAN on $int_if or the other physical
interfaces?
> ## vpn
> pass quick log on pppx
> match out log on $ext1_if from $vpn_net nat-to ($ext1_if)
> match out log on $ext2_if from $vpn_net nat-to ($ext2_if)
> match out log on $int_if from $vpn_net nat-to ($int_if)
Fist line, "pass quick", becomes the last rule for traffic in/out on the
pppx interface since it is "quick". So subsequent rules (including nat) are
not applied.
--yasuoka
I'm used to pf on FreeBSD, the problem was not the quick rule.
It looks like that pf or kernel on OpenBSD sets a "block all" on any
interface not defined in the pf.conf using skip or pass rules, which is a
good thing because this closes unintended security holes.
Thanks for your help.
The below pf.conf does the trick
### NAT
## int_net
match out log on $ext1_if from $int_net nat-to ($ext1_if)
match out log on $ext2_if from $int_net nat-to ($ext2_if)
## vpn
match out log on $ext1_if from $vpn_net nat-to ($ext1_if)
match out log on $ext2_if from $vpn_net nat-to ($ext2_if)
match out log on $int_if from $vpn_net nat-to ($int_if)
### FILTER RULES
block drop quick inet6
block log all
pass out log
## allow ping, traceroute and echo
pass in log inet proto icmp all icmp-type $icmp_types
## internal network
pass in log on $int_if
## pass connections to vpn server
pass in log on pppx
pass log proto { gre } from any to any keep state
pass in log on $ext1_if proto tcp from any to $ext1_if port 1723
pass in log on $ext2_if proto tcp from any to $ext2_if port 1723
