On 2018-12-06, Thuban <thu...@yeuxdelibad.net> wrote: > * Thuban <thu...@yeuxdelibad.net> le [02-12-2018 19:16:09 +0100]: >> Hi, >> I need help to write a correct rule in pf.conf. >> >> I want : >> >> A -----> B ------> web >> >> The appearing IP of A is the B's one on the web. >> >> I managed to configure iked on A and B using default pubkeys according >> to Stuart Henderson advices. >> >> iked.conf on A : >> >> ikev2 active ipcomp esp \ >> from 192.168.100.0/16 to 0.0.0.0/0 \ >> peer "xx.xx.xx.xx" \ >> srcid "m...@moria.lan" \ >> dstid "B-hostname.tld" \ >> tag IKED >> >> iked.conf on B : >> >> ikev2 "warrior" passive esp \ >> from 0.0.0.0/0 to 0.0.0.0/0 \ >> local xx.xx.xx.xx peer any \ >> srcid "B-hostname.tld" \ >> tag IKED >> >> Auth works as expected : >> >> # iked -vvd >> .. >> sa_state: VALID -> ESTABLISHED from xx.xx.xx.xx:4500 to 192.168.100.122:4500 >> policy 'policy1' >> .. >> >> >> But I can't reach internet from A through B. >> >> Here is the pf.conf on B (at least a small part of it) >> >> pass out on egress \ >> from any to any tagged IKED \ >> nat-to (egress) >> >> > > I'm still stuck at the same point. > Can someone give me an example of a working configuration natting ot > Internet?
I used this, pass in on enc0 inet from $some_net pass out quick on egress inet received-on enc0 nat-to $some_address Also I don't remember what you've already said you checked, but make sure you have sysctl net.inet.ip.forwarding=1.