Hello Chris,
I didn't know the word hairpining, now I do.
No I don't want to do hairpining
MyLan <=> MyOpenbsd <= IPSec => Fortigate (on a lan behind a nat router) <=>
device I want to reach.
That device has a gateway that is not the fortigate so I had to nat the flow on
the Fortigate with the IP of the Fortigate on the LAN. That Fortigate is
connected exactly like a computer (one arm).
>From MyLan I can reach the device.
MyFriend <=> Nat router <=> Internet <=> Nat router <=> MyOpenbsd <= IPSec =>
Fortigate (on a lan behind a nat router) <=> device I want to reach.
MyFriend arrives with a public IP on MyOpenbsd.
To reach the device I need to nat all flows to 1443 to device:443 (destination
nat)
But the device will need to reply and send back the flow to MyFriend, I want to
NAT him with the IP of MyOpenbsd (source nat)
As you can see when MyFriend sends its SYN to MyOpenbsd I need to change
source/destination IP to natsource/natdestination IP.
I know this setup is f*** up but I don't have hand on many elements.
PS: Since my last mail, I found a workaround which is a SSH tunnel from
MyFriend to MyOpenbsd and it worked perfectly. However I'd be interested to
know what can be done with PF
Regards
Le jeudi 9 mai 2019 à 17:57:18 UTC+2, Chris Cappuccio <ch...@nmedia.net> a
écrit :
Mik J [mikyde...@yahoo.fr] wrote:
> Hello,
> Is it possible to nat both source and destination IP on the same openbsd pf
> instance aka double nat ?
> If yes do someone has an example of it ?
are you trying to do "hairpin" NAT?
what are you trying to accomplish?
