On Aug 30, 8:09=A0pm, [EMAIL PROTECTED] (Karl O. Pinc) wrote:
> On 08/29/2008 11:11:51 AM, [EMAIL PROTECTED] wrote:
>
>
>
> > On Aug 29, 3:10=3DA0pm, [EMAIL PROTECTED] (Karl O. Pinc) wrote:
> > > On 08/28/2008 08:13:50 AM, [EMAIL PROTECTED] wrote:
>
> > > > On Aug 28, 12:45=3D3DA0am, [EMAIL PROTECTED] wrote:
> > > > > # =3D3DA0 =3D3DA0 =3D3DA0 $OpenBSD: pf.conf,v 1.35 2008/02/29 17:=
04:55
> > reyk=3D
> > =A0Exp
> > > > $
> > > > > #Map internal addresses to external
> > > > > binat on $tun_if proto {tcp, udp, icmp} from $intaddr_irishcoffe
> > to
> > > > > any -> $tunaddr_irishcoffe
> > > > > binat on $tun_if proto {tcp, udp, icmp} from $intaddr_bloodymary
> > to
> > > > > any -> $tunaddr_bloodymary
> > > > > binat on $tun_if proto {tcp, udp, icmp} from
> > > > $intaddr_longislandicetea
> > > > > to any -> $tunaddr_longislandicetea
>
> > > > > #Traffic on addresses not mapped with BINAT should be NATed via
> > vr0
> > > > > (ie. not be pushed via the tunnel but rather pushed directly on
> > the
> > > > > DSL line)
> > > > > #The below does not work though
> > > > > nat on $ext_if from $int_if:network to any -> { $ext_if }
>
> > > > > #Enabling the below makes it possible to access the Internet via
> > > > > $ext_if from 10.0.0.10 but only 10.0.0.10.
> > > > > #This is what I want with NAT above but for the whole
> > 10.0.0.0/24
> > > > net
> > > > > (except BINATed addresses).
> > > > > #binat on $tun_if proto {tcp, udp, icmp} from 10.0.0.10 to any
> > ->
> > > > > $ext_if:0
>
> > > > > nat-anchor "ftp-proxy/*"
> > > > > rdr-anchor "ftp-proxy/*"
> > > > > rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1
> > port
> > > > > 8021
> > > > If I made the NAT rule look like this it worked:
>
> > > > nat on $tun_if from $int_if:network to any -> $ext_if
>
> > > > Now the uestion is why....
>
> > > It's because your binat rule has already translated the datagrams
> > > IP addresses before your nat rule sees the datagrams, so as
> > > originally written the nat rule does not match.
>
> > > FYI, binat rules are done before nat rules regardless of the
> > > order in which they appear in pf.conf.
>
> > > Karl <[EMAIL PROTECTED]>
> > > Free Software: =3DA0"You don't pay back, you pay forward."
> > > =3DA0 =3DA0 =3DA0 =3DA0 =3DA0 =3DA0 =3DA0 =3DA0 =3DA0 -- Robert A. He=
inlein
>
> > Thank you very much for the reply
> > But... The BINAT rule is between $int_if and $tun_if
> > And the NAT rule is between $int_if and $ext_if
>
> > I cannot see how the BINAT rule could translate anything which makes
> > this not work.
>
> You're right about what IPs should be affected by what rule,
> I was not reading closely enough. =A0My mistake. =A0Sorry.
>
>
>
> > BINAT only handles 3 ip addresses in the 10.0.0.0/24 net.
> > Then the rest of the addresse is not affected I thought?
> > Wouldnt the NAT rule handle the rest of them then?
> > and push it over to the $ext_if interface?
>
> The NAT rules don't do any "pushing" through interfaces,
> that's what the routing tables do.
>
> Clearly something's sending your traffic through the
> tunnel, or the binat rule you added wouldn't have
> had any effect.
>
> I have some suggestions.
>
> Get the firewall working without the tunnels, then add
> the tunnels. =A0I suspect something in OpenVPN is
> messing with the way your traffic is routed in a way
> you don't expect.
>
> Begin with a "block all". =A0"block in", "pass out" works
> when you've only 2 interfaces, but does not scale well
> to multiple interfaces. =A0Better to retain finer control
> and be sure you know where all traffic is going and why.
> You may even want "set state-policy if-bound" to be sure
> you know what's going on, then relax the policy (and possibly
> remove rules and/or tags/policy based filters) if performance
> is an issue.
>
> Karl <[EMAIL PROTECTED]>
> Free Software: =A0"You don't pay back, you pay forward."
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 -- Robert A. HeinleinGetting hte firewall working without the tunnel hasnt been a problem then I has just one NAT rule and two interfaces. It worked very well. Maybe if you could look at my routing table? Here is how my routing table looks like atm Thanks for all help /Jens $ route -n show Routing tables Internet: Destination Gateway Flags Refs Use Mtu Interface default 88.80.3.1 UGS 7 15789646 - tun0 default 85.228.192.1 UGS 0 465 - vr0 10.0.0/24 link#2 UC 5 0 - fxp0 10.0.0.1 00:50:8b:e3:5c:32 UHLc 0 21200 - lo0 10.0.0.8 00:1c:b3:7c:4f:30 UHLc 3 6108056 - fxp0 10.0.0.11 00:09:34:20:de:1c UHLc 1 9057 - fxp0 10.0.0.132 00:1f:f3:f4:b8:58 UHLc 0 6 - fxp0 10.0.0.255 link#2 UHLc 1 539 - fxp0 85.228.192/19 link#1 UC 2 0 - vr0 85.228.192.1 00:04:de:18:38:00 UHLc 3 98 - vr0 85.228.222.145 127.0.0.1 UGHS 0 0 33208 lo0 85.228.223.255 link#1 UHLc 1 539 - vr0 88.80.3.0/26 link#10 UC 3 0 - tun0 88.80.3.1 00:ff:3e:4a:dc:27 UHLc 2 0 - tun0 88.80.3.55 00:bd:b4:e5:12:01 UHLc 0 16 - lo0 88.80.3.63 link#10 UHLc 4 2156 - tun0 88.80.6.32/32 85.228.192.1 UGS 1 19489957 - vr0 127/8 127.0.0.1 UGRS 0 0 33208 lo0 127.0.0.1 127.0.0.1 UH 8 5923 33208 lo0 128/1 88.80.3.1 UGS 1 3689289 - tun0 224/4 127.0.0.1 URS 0 0 33208 lo0
