Re: [PF] IPSEC and PF/RDR rule
Hi, I have problem on the same field. OpenBSD router with external ip is redirecting traffic on the port 80: # router (pf.conf) rdr pass on ! lo inet proto tcp from any to (self) port = www - 172.16.0.53 but the 172.16.0.53 is connected to the router with ipsec(4): # router (ipsec.conf) ike passive esp tunnel \ from { \ 172.16.0.0/16 \ 192.168.1.0/24 \ 192.168.2.0/24 \ 192.168.3.0/24 \ } to any \ srcid my-openbsd-router.home.lan # 172.16.0.53 (ipsec.conf) ike dynamic esp tunnel \ from egress to 192.168.2.0/24 \ peer my-openbsd-router-external-ip dstid my-openbsd-router.home.lan ike dynamic esp tunnel \ from egress to 192.168.3.0/24 \ peer my-openbsd-router-external-ip dstid my-openbsd-router.home.lan When I'm in 192.168.2.0/24 network and my laptop has no ipsec configured I still can reach external ip of my router and traffic is redirected to the 172.16.0.53 web server, but when I'm connecting from outside world I cannot reach the web server. From my configuration files I can see that shouldn't work, but I don't know how to alter my configuration to make it work. Could someone shed some light on this for me please? Thanks. # router OpenBSD 4.4-current (GENERIC) #1050: Wed Sep 10 12:18:05 MDT 2008 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC # web server OpenBSD 4.4-current (GENERIC) #1643: Tue Dec 30 13:50:47 MST 2008 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC -- best regards q#
[PF] IPSEC and PF/RDR rule
Hello, I wish you an happpy new year. I have some trouble with my new Openbsd router. I installed the latest version 4.4. I compile the kernel with the RAID FRAME options. This router is running services for : - OSPF - PF - CARP - IPSEC/ISAKMPD/SASYNCD I have trouble with the IPSEC and PF services (rdr rules particularly). I have a VPN between two peers : A.B.C.D and E.F.G.H The peer A.B.C.D is running Openbsd 4.4 and E.F.G.H is running Feebsd 6.3. Behind this two peers, I have many networks. So, I use IPENCAP potocol to connect it. From the host x.x.x.x behind E.F.G.H, I would like to connect to the host y.y.y.y behind A.B.C.D. This working good. But when I try to redirect traffic from x.x.x.x to y.y.y.y toward z.z.z.z with a PF/rdr rule, this don't work. Following, the pf rule used on the peer A.B.C.D : rdr from any to y.y.y.y - z.z.z.z I also try this rules : rdr enc0 from any to y.y.y.y - z.z.z.z rdr nfe0 from any to y.y.y.y - z.z.z.z (where is nfe0 is a private interface used to route the traffic). With the same result . The traffic is not redirected. I can see on nfe0 the traffic from x.x.x.x to y.y.y.y instead of traffic from x.x.x.x to z.z.z.z. with the pfctl -s state, I can see state like this : nfe0 icmp x.x.x.x:31262 - y.y.y.y:31262 0:0 Before using this configuration on Openbsd 4.4, I used it on Freebsd 6.3. Everything is OK. I'm searching for any documentation on the WEB, without success for the moment. Maybe someone can help me here. Thank you.