Hello PF List, I'm hoping someone can help me out with my configuration issue. I need to implement a site-to-site VPN for access to a remote lab. The VPN will be implemented with PIXes on either end implementing a site-to-site tunnel. So far so good. The problem is that there is overlap in the private RFC1918 addresses used in both sites. Let's call them SiteA and SiteB. Networks in the 192.168.0.0/16 range are used in both locations. Re-addressing on either end is not an option. Also, to make matters a little simpler, I only need to connect from SiteA->SiteB (i.e. connections will never be initiated from SiteB->SiteA, but of course sessions initiated from SiteA will have return traffic...). SiteA (my site) is using a OpenBSD PF firewall with multiple interfaces (internal, external, DMZ). The DMZ uses a non-conflicting address (not in the 192.168.0.0/16 range), but the internal hosts use the 192.168.0.0/16 network. One Option I can see is to place a "gateway" machine in the DMZ that people will SSH into in order to access SiteB hosts. The PF firewall will NAT traffic from the internal network to the gateway, and then the gateway's route table will funnel all the 192.168.0.0/16 traffic to the PIX, where it will be tunneled over to the remote site. I think this will work fine, but is has the slight disadvantage of requiring people to log into this "gateway" box, as opposed to having them connect directly from the internal network.
Another concept I campe up with would be to use a second PF box in the path. A setup like this (at SiteA): (outside) -- [PIX] -(A)- [gateway] -(B)- [firewall] -(C)- [int_user] Network addresses are: (C) 192.168.0.0/16 [SiteA internal net] (B) 172.16.1.0/24 [SiteA DMZ] (A) 172.16.2.0/24 [gateway->PIX private net] Addresses would be: int_user: 192.168.1.100 firewall(C net): 192.168.1.1 firewall(B net): 172.16.1.1 gateway(B net): 172.16.1.2 gateway(A net): 172.16.2.2 pix(A net): 172.16.2.1 For this scenario, internal users would have to be told: "When connecting to a machine in the remote lab at address 192.168.x.x, use address 10.168.x.x instead" The firewall would be set up to NAT connections from (C) with destinations set to 10.168.0.0/16 onto the (B) network (via static route to the gateway). The gateway would be configured to "redirect" connections to 10.168.0.0/16 to 192.168.0.0/16 on the (A) network (via static route to the PIX). An example packet, that "int_user" wanted to send to remote lab host 192.168.1.50 would look like: (C) 192.168.1.100 -> 10.168.1.50 (B) 172.16.1.1 -> 10.168.1.50 (src port changed via NAT on firewall) (A) 172.16.1.1 -> 192.168.1.50 (dest addr changed via RDR on gateway) This seems like it should work. The gateway and PIX don't have any local connection to the SiteA 192.168.0.0/16 networks, so they push all traffic addressed to those nets through the VPN tunnel. A few questions: To implement this, I'd like a command to "rdr" an entire network, as opposed to a single host (to run on gateway). Something like: rdr on $Bnet inet proto tcp from any to 10.168.0.0/16 -> 192.168.0.0/16 But ... PF doesn't seem to like this (syntax error). Is there any way to do this? If not, I suppose I could generate a long list of individual RDR commands for each remote host at SiteB ... but that's not quite as clean. If PF can't do it, does anyone know of other PF-like software (linux, ???) that would support a feature like this? Also, is there any way anyone can see to do this with only one PF box? It seems impossible to me, because fundamentally that one PF box would need to know about both 192.168.0.0/16 networks. The second PF box seems necessary so that each PF box only sees one of the two 192.168.0.0/16 nets (either SiteA or SiteB). Another question is whether anyone else can see a better way to solve this problem... Thanks in advance, Steve
