On 3/28/23 17:27, Stuart Henderson wrote:
On 2023-03-28, Kaya Saman wrote:
Anyway, what I am trying to figure out is how to NAT the rdomain's?
At the moment from what I understand one has to put "rtable (n)" at the
end of the NAT rule...
That is for _changing_ rtable; if the interfaces involved (the $vpn_net1
interface and $gnet_if) have been configured with "rdomain 2" then the
route lookups will automatically use rtable 2 and you don't need to
reset it in pf.
The rule in use is this one:
match out on $gnet_if from $vpn_net1 nat-to {$wan_gnet} rtable 2
If $vpn_net1 is the network associated with the g-networks connection
then that, without the 'rtable 2', should probably do it, as long as
those packets have not already been natted to a different address
before they hit that rule.
For debug you might like "match log(matches)" at the top of the ruleset
and watch "tcpdump -neipflog0" to show which rules are actually matching
(you get multiple lines of output per new connection as the ruleset
is traversed; the rule numbers shown in the output can be looked up
with pfctl -sr -R ##).
It is definitely possible to do what you want with OpenBSD/PF, it's
"just" a question of figuring out how ;)
Sorry for the noise just updating everyone here... I have
communication finally!! icmp echo requests are being responded to by the
8.8.8.8 address. Really super happy about this :-D
It's basically a case of a few things that I screwed up duh :-S
PF rules are these:
match on $gnet_if scrub (max-mss 1440)
pass out quick on $gnet_if from $wan_gnet
pass in quick on vlan_if from subnet to !
match out on $gnet_if from subnet to ! nat-to {$wan_gnet}
pass out on $gnet_if from subnet to any nat-to {$wan_gnet} modulate state
pass out on $gnet_if
(do I need to scrub with a max-mss? isn't that for *DSL connections?)
In the meantime I moved the interface across from a vlan over to em2
which was part of a 4 port trunk (lagg) interface provisioned with LACP.
Also I was using a broadcast address in the hostname file which was
incorrect! I was shown a sample recently where the bcast was set to NONE
but because I was given the bcast address my understanding was to use
it, well turned out to be a misunderstanding ;-)
hostname.em2 looks like this now:
inet public_ip 255.255.255.240 NONE description "G-NET"
dest 0.0.0.1
!/sbin/route -T2 add public_subnet/28 public_subnet_gateway
!/sbin/route -T2 add default public_subnet_gateway
Now I just need to figure out how to communicate with the traffic on the
default rdomain then I can start looking further ahead.
Been up all night working on this plus a radius issue, got a bad
headache now... yup I stressed a lot and panicked so now am gona go get
some rest.
Thanks to everyone for your help - you all get a big virtual hug :-) :-)
hopefully there won't be anything more now that I'm gona need - cross
fingers ;-)
Kaya
