Hello list,
what4s a good strategy to pass decrypted VPN traffic from roadwarriors
on my internal firewall (3.7) interface? The source IP addresses from
the roadwarriors are either:
(1) a dynamic IP from an arbitrary ISP:
Here I could use authpf to dynamically adjust my rules
or
(2) an internal IP, as several home office users are behind a NAT-T
capable router.
Here I guess I am out of luck with authpf, as $user_ip would point to
the NAT4ed official IP. I could assign the internal IPs and hardcode
those into my ruleset as a workaround.
While trying to work this out, I came upon a different alternative:
Would you consider it reasonably secure to tag VPN traffic on the enc0
interface, and use this tag to pass this traffic on the internal
firewall interface? Bad idea?
Thanks!
