On Thu, Feb 24, 2022 at 02:14:55PM +, Laura Smith wrote:
> Thanks David for your comprehesive reply. It looks like perhaps the match
> trick is the cleanest way.
BTW, IMO the descriptin and example in the man page of pf.conf is more
clear than the FAQ.
-Otto
>
>
> ---
On Wed, Feb 23, 2022 at 04:55:05PM +, Laura Smith wrote:
> I've never had occasion to use bi-nat before and I'm struggling a little to
> wrap my head around the concept.
>
> The OpenBSD FAQ (https://www.openbsd.org/faq/pf/nat.html) gives the following
> example:
>
> "pass on tl0 from
> On 07.02.2019, at 14:21, Stuart Henderson wrote:
>
> On 2019-02-06, Patrick wrote:
>> My nat rule use the parenthesis and all other devices behind the
>> firewall works fine. I think it’s more a specific issue with the SPA112.
>> I have also set the ruleset optimization to conservative but
On 2019-02-06, Patrick wrote:
> My nat rule use the parenthesis and all other devices behind the
> firewall works fine. I think it’s more a specific issue with the SPA112.
> I have also set the ruleset optimization to conservative but in this
> case the generated state has just a longer time to
> On 06.02.2019, at 11:15, Sebastian Reitenbach
> wrote:
>
> Am Mittwoch, Februar 06, 2019 10:57 CET, jum...@yahoo.de schrieb:
>
>> Hello,
>> I have a Cisco SPA112 VoIP to connect my analog phone to my provider SIP
>> system. Recently I replaced my Linux based (Fritzbox) with a OpenBSD 6.4
I think you need to show your pf rules.
Did you make your firewall aware that your ISP is changing address ?
Am Mittwoch, Februar 06, 2019 10:57 CET, jum...@yahoo.de schrieb:
> Hello,
> I have a Cisco SPA112 VoIP to connect my analog phone to my provider SIP
> system. Recently I replaced my Linux based (Fritzbox) with a OpenBSD 6.4
> firewall. The firewall is connected to a vDSL modem and performs NAT
Hello,
I have a Cisco SPA112 VoIP to connect my analog phone to my provider SIP
system. Recently I replaced my Linux based (Fritzbox) with a OpenBSD 6.4
firewall. The firewall is connected to a vDSL modem and performs NAT for
outgoing IPv4 connection. The connection to the SIP server from the
* Giancarlo Razzolini grazzol...@gmail.com [2014-03-24 15:46]:
First of all, I hardly see why you want or need to use if-bound, since
it most likely hurts pf performance.
it doesn't.
however, if-bound is stupid except very few cases, i. e. on encX.
Secondly, the proper way of doing nat, is
Em 17-04-2014 15:08, Henning Brauer escreveu:
* Giancarlo Razzolini grazzol...@gmail.com [2014-03-24 15:46]:
First of all, I hardly see why you want or need to use if-bound, since
it most likely hurts pf performance.
it doesn't.
however, if-bound is stupid except very few cases, i. e. on
Em 24-03-2014 19:28, Alexander Hall escreveu:
On 03/24/14 15:44, Giancarlo Razzolini wrote:
Secondly, the proper way of doing nat, is using match rules, not pass.
Why would you say that? 'pass ... nat-to ...' makes perfect sense to
me. Using match was an easy transition from the old nat
Em 18-03-2014 15:19, Friedrich Locke escreveu:
Hi folks,
i am studying pf and a doubt arose!
Since my state policy if if-bound (set state-policy if-bound) i need two
rules for each traffic i want to pass. Is that understanding right ?
For instance, for nat i could :
pass out on tl0 from
On 03/24/14 15:44, Giancarlo Razzolini wrote:
Secondly, the proper way of doing nat, is using match rules, not pass.
Why would you say that? 'pass ... nat-to ...' makes perfect sense to me.
Using match was an easy transition from the old nat rules, but being
*the* proper way, no way.
Secondly, the proper way of doing nat, is using match rules, not pass.
Why would you say that? 'pass ... nat-to ...' makes perfect sense to me.
Using match was an easy transition from the old nat rules, but being
*the* proper way, no way.
I also believe that one-way-ism is disease. I
Hello,
you are right, you need the both rules.
--
Best regards,
Loïc BLOT,
UNIX systems, security and network engineer
http://www.unix-experience.fr
Le mardi 18 mars 2014 à 15:19 -0300, Friedrich Locke a écrit :
Hi folks,
i am studying pf and a doubt arose!
Since my state policy if
Hi folks,
i am studying pf and a doubt arose!
Since my state policy if if-bound (set state-policy if-bound) i need two
rules for each traffic i want to pass. Is that understanding right ?
For instance, for nat i could :
pass out on tl0 from dc0:network to any nat-to tl0
pass in on dc0 from
on lo
block in log
pass out
pass in quick on tun0 from 10.8.0.0/24 to any nat-to 37.x.x.x
This allow outgoing traffic and incoming trafic from tun0 (+nat).
Because PF is stateful, you don't have to allow return traffic from tun0
nated clients.
If you want to allow some more incoming traffic, add new
I am having trouble trying to route tun0 to em0 via nat. Maybe I've
misread the nat section / examples in pf.conf man page
The iptables way to do this was,
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT
--to-source 37.x.x.x
I can access and ping both sides while connected to
haven't, but it looks like a neat solution.
In my case, the opposite end of the link is using a Juniper NetScreen,
and my firewall is OpenBSD 4.3.
I mostly followed the guide here:
http://fixunix.com/bsd/87865-nat-ipsec-openbsd-pf-isakmpd.html, which
works generally but is wrong in a few particulars
It would appear not as I tried to sign up to the openbsd-pf list today
and it failed. Just as pf is doing, failing. And now I am failing by
talking to myself :-)
2008/10/18 gm_sjo [EMAIL PROTECTED]:
Is there a more suitable mailing list for this kind of query?
Thanks
Is there a more suitable mailing list for this kind of query?
Thanks
2008/10/16 gm_sjo [EMAIL PROTECTED]:
Forgot to mention, i'm running 4.3 release.
2008/10/16 gm_sjo [EMAIL PROTECTED]:
Hi all,
I have a very basic pf NAT setup for testing on my new firewall. The
firewall has two PPPoE
Hi all,
I have a very basic pf NAT setup for testing on my new firewall. The
firewall has two PPPoE connections which are using multipath default
routes to load balance. Load balancing works for non-NAT traffic, but
NAT traffic is only going out via one link, not both.
I am wondering what
Forgot to mention, i'm running 4.3 release.
2008/10/16 gm_sjo [EMAIL PROTECTED]:
Hi all,
I have a very basic pf NAT setup for testing on my new firewall. The
firewall has two PPPoE connections which are using multipath default
routes to load balance. Load balancing works for non-NAT traffic
Well, I've got it. It turns out it's kind of easy, although not
as pretty as it could be.
Basically, you use relayd. The one caveat is that this means that
from the OpenBSD box, you need to be able to talk to the remote,
private IPs without binding to a particular address.
In relayd.conf, you
On Fri, Aug 15, 2008 at 01:24:59PM +0900, william dunand wrote:
Hi,
I tried to reproduce what you want in my testing environment and
managed to make it work.
What you have to do is :
- In your ipsec.conf, add an rule from your local network to the
distant 172.25.0.1 (this rule is needed
Of course, as it is a testing environment it is a lot easier to make
it work for me...
On the remote side, a configured something like this (I suppose they
have something of this kind on the other side) :
ike passive esp from 172.25.0.1 to A.B.C.D
And on the local server side, all I have is :
ike
On Fri, Aug 15, 2008 at 05:09:08PM +0900, william dunand wrote:
Of course, as it is a testing environment it is a lot easier to make
it work for me...
On the remote side, a configured something like this (I suppose they
have something of this kind on the other side) :
ike passive esp from
Toby,
Actually, I was initially using my local subnet address rather than
any, but I realized that if did so, this address could be seen on
the remote vpn server by looking at the flows table.
After setting the from any rule, I realized that, yes it was more or
less working as expected, but it
I have the following configuration:
LAN_B--[openBSD+Pf+Nat+VPN]---(internet)---[OpenBSD+Pf+NAT+VPN]---[openBSD+Squid]---LAN_A
http://bsdsupport.org/ , setting up Ipsec over GRE on OpenBSD
I can ping a host from LAN_A to a host on LAN_B
I hope this can Help !
Original
a Loopback interface on one of your BSD and try to NAT on this
'lo' interface ... from that nat, adjust your pf to block all from lan A
to lab B except from NAT ...and well, I think it should work !
any other suggestion to try or any ''already working here' ' notes that
someone can post
?!?!?!?
May I can suggest you to try something... : ( that what I will try anyway
somewhere next week or so... )
Create a Loopback interface on one of your BSD and try to NAT on this 'lo'
interface ... from that nat, adjust your pf to block all from lan A to lab B
except from NAT ...and well, I
is then sent over the VPN connection. Unfortunately
it looks like PF only applies NAT transforms when packets leave
interfaces, not when they enter them, so packets come into the
OpenBSD box with their private IPs, get routed out the interface
associated with the default route, and only then get rewritten
Hi all,
I was looking for any idea how to tune OBSD with PF, rdr nat.
I use rdr round-robin of port 80 to backend webservers using private
adress space. When packets go back to clients watching webpage PF
makes nat on them.
Anyway, if I check it with ~100Mbps of traffic everything
you are
running, and the webserver itself which out of scope for OpenBSD
problems :)
Have a great day,
Pierre
Sylwester S. Biernacki wrote:
Hi all,
I was looking for any idea how to tune OBSD with PF, rdr nat.
I use rdr round-robin of port 80 to backend webservers using private
adress
On Wed, 28 Jun 2006, Stephen Bosch wrote:
Hi, Roy:
Roy Morris wrote:
Yes it does work! I guess I better hold on to these two boxes I have. Seems
they are the only ones that do! lol
I have
A. clients on each end behind a vpn/pf box
B. enc0 binat from internal client to public IP of other
Hi, Roy:
Roy Morris wrote:
Yes it does work! I guess I better hold on to these two
boxes I have. Seems
they are the only ones that do! lol
I have
A. clients on each end behind a vpn/pf box
B. enc0 binat from internal client to public IP of other side client
C.
Imagine the following scenario:
You have two VPN endpoints. One is an OpenBSD system running isakmpd and
pf, the other is a VPN concentrator from some vendor.
The OpenBSD already has other VPNs set up, all using the same internal
network. Renumbering isn't going to work.
The VPN
Stephen Bosch wrote:
Imagine the following scenario:
You have two VPN endpoints. One is an OpenBSD system running isakmpd and
pf, the other is a VPN concentrator from some vendor.
The OpenBSD already has other VPNs set up, all using the same internal
network. Renumbering isn't going to
Dag Richards wrote:
Stephen Bosch wrote:
Imagine the following scenario:
You have two VPN endpoints. One is an OpenBSD system running isakmpd
and pf, the other is a VPN concentrator from some vendor.
The OpenBSD already has other VPNs set up, all using the same internal
network.
Stephen Bosch wrote:
Dag Richards wrote:
Stephen Bosch wrote:
Imagine the following scenario:
You have two VPN endpoints. One is an OpenBSD system running isakmpd
and pf, the other is a VPN concentrator from some vendor.
The OpenBSD already has other VPNs set up, all using the same
Stephen Bosch wrote:
Dag Richards wrote:
Stephen Bosch wrote:
Imagine the following scenario:
You have two VPN endpoints. One is an OpenBSD system
running isakmpd
and pf, the other is a VPN concentrator from some vendor.
The OpenBSD already has other VPNs set up, all using the
Roy Morris wrote:
Stephen Bosch wrote:
Dag Richards wrote:
Stephen Bosch wrote:
Imagine the following scenario:
You have two VPN endpoints. One is an OpenBSD system
running isakmpd
and pf, the other is a VPN concentrator from some vendor.
The OpenBSD already has other VPNs set up, all
Roy Morris wrote:
Stephen Bosch wrote:
Dag Richards wrote:
Stephen Bosch wrote:
Imagine the following scenario:
You have two VPN endpoints. One is an OpenBSD system
running isakmpd
and pf, the other is a VPN concentrator from some vendor.
The OpenBSD already has other VPNs set up, all
Dag Richards wrote:
Um no, it wont work. Once the traffic is encrypted you will no longer be
able to nat it. The original packet is now and encrypted blob that is
the payload of a new packet with a source of your gateway and dest their
GW. you can nat the wrapper packet but not the payload.
Hi, Roy:
Roy Morris wrote:
Yes it does work! I guess I better hold on to these two boxes I have. Seems
they are the only ones that do! lol
I have
A. clients on each end behind a vpn/pf box
B. enc0 binat from internal client to public IP of other side client
C. /etc/hostname.if alias for the
Roy Morris wrote:
Stephen Bosch wrote:
Dag Richards wrote:
Um no, it wont work. Once the traffic is encrypted you will
no longer be
able to nat it. The original packet is now and encrypted
blob that is
the payload of a new packet with a source of your gateway and
dest their
GW. you can
Melameth, Daniel D. wrote:
Tor Houghton wrote:
I have two IP addresses assigned to the external interface. I also
have two internal interfaces. Is it possible to NAT each internal
interface to a specific external IP address (without specifying the
external address, but the interface
Hi,
I have two IP addresses assigned to the external interface. I also have two
internal interfaces. Is it possible to NAT each internal interface to a
specific external IP address (without specifying the external address, but
the interface description)?
I am using 3.8; and in my mind I thought
Tor Houghton wrote:
I have two IP addresses assigned to the external interface. I also
have two internal interfaces. Is it possible to NAT each internal
interface to a specific external IP address (without specifying the
external address, but the interface description)?
I am using 3.8; and
I had all of this working with PPPoE + PF, but now i have a T-1
with several IPs all aliased off of the main.
pf is working finehowever, I now have lost WAN NAT LOOPBACK.
What I need is a way to go from one LAN machine to the WAN and
loopback to the other LAN machine.
LAN-WAN-LAN
Since
50 matches
Mail list logo