On Thu, Nov 03, 2016 at 06:48:56PM -0400, Marina Brown wrote: > On 11/03/2016 03:36 PM, Stefan Sperling wrote: > > On Thu, Nov 03, 2016 at 03:17:40PM -0400, Marina Brown wrote: > >> Hi All: > >> > >> I have been trying to create an nppp connection across my property - > >> about 100M for one of my friends who lives here. He wants less security > >> than i like behind my firewall. I have not been able to get OpenBSD to > >> route his connection out of the network. Here are my settings. > > > >> # NAT Rule to translate from internal to External NET > >> pass out on em0 inet from em1:network to any nat-to (em0) > > > > You're using NAT when passing out on em0 here, and... > > > >> external = em0 > > > >> pass out quick on $external from 10.0.0.103/32 to any > > > > ... my guess is that you're missing 'nat-to ($external)' here ^ > > > > Thanks - is there a way to exclude the npppd users from the nat > altogether. That is the reason for the excersize. If i put him > behind the nat we are right where we started. He runs games that > don't play well with strict NAT settings and i don't want the rest of my > network exposed to reduced security. > > I thought he would be on pppx0. Is there a way to do this.
Well, one way or another he will need to have his private 10.0.0.103 IP address translated to an IP that is actually valid on the internet. There is no way around that. pppx0 is where his packets arrive on your firewall. Your firewall has to forward those packets to the internet and that requires using a public IP as source address, else the internet won't be able to reply. One option would be for him to get a VPN tunnel with some provider that assigns public IPs to their VPN clients. That would solve this issue as long as you still provide NAT so that his VPN client can reach the provider's server across the internet. He would get his own public IP to use for the game. Another option is to try adding 'static-port' to his NAT rule: pass out quick on $external from 10.0.0.103/32 to any nat-to ($external) static-port Perhaps that's enough to make the game he's playing work through NAT. You could further restrict the above to certain ports used by the game. For example, if the game was using the port range 5000:5100 then you could do something like this: pass out quick on $external from 10.0.0.103/32 to any port 5000:5100 nat-to ($external) static-port In this case all his other connections would still use randomized NAT ports.
