> I'm, running OpenBSD 5.8, npppd, mpath and have tried the same on 5.7 and 5.3. > npppd is works fine and clients can connect using windows pptp client. > The Client has the pptp connection set as default gateway and can > access the internet through the vpn gateway but cannot access the LAN network. > Traffic arrives on the pppx0 interface but never get forwarded to the > LAN ip address.
Can you see the traffic for the LAN on $int_if or the other physical interfaces? > ## vpn > pass quick log on pppx > match out log on $ext1_if from $vpn_net nat-to ($ext1_if) > match out log on $ext2_if from $vpn_net nat-to ($ext2_if) > match out log on $int_if from $vpn_net nat-to ($int_if) Fist line, "pass quick", becomes the last rule for traffic in/out on the pppx interface since it is "quick". So subsequent rules (including nat) are not applied. --yasuoka I'm used to pf on FreeBSD, the problem was not the quick rule. It looks like that pf or kernel on OpenBSD sets a "block all" on any interface not defined in the pf.conf using skip or pass rules, which is a good thing because this closes unintended security holes. Thanks for your help. The below pf.conf does the trick ### NAT ## int_net match out log on $ext1_if from $int_net nat-to ($ext1_if) match out log on $ext2_if from $int_net nat-to ($ext2_if) ## vpn match out log on $ext1_if from $vpn_net nat-to ($ext1_if) match out log on $ext2_if from $vpn_net nat-to ($ext2_if) match out log on $int_if from $vpn_net nat-to ($int_if) ### FILTER RULES block drop quick inet6 block log all pass out log ## allow ping, traceroute and echo pass in log inet proto icmp all icmp-type $icmp_types ## internal network pass in log on $int_if ## pass connections to vpn server pass in log on pppx pass log proto { gre } from any to any keep state pass in log on $ext1_if proto tcp from any to $ext1_if port 1723 pass in log on $ext2_if proto tcp from any to $ext2_if port 1723