Hello Chris, I didn't know the word hairpining, now I do.
No I don't want to do hairpining MyLan <=> MyOpenbsd <= IPSec => Fortigate (on a lan behind a nat router) <=> device I want to reach. That device has a gateway that is not the fortigate so I had to nat the flow on the Fortigate with the IP of the Fortigate on the LAN. That Fortigate is connected exactly like a computer (one arm). >From MyLan I can reach the device. MyFriend <=> Nat router <=> Internet <=> Nat router <=> MyOpenbsd <= IPSec => Fortigate (on a lan behind a nat router) <=> device I want to reach. MyFriend arrives with a public IP on MyOpenbsd. To reach the device I need to nat all flows to 1443 to device:443 (destination nat) But the device will need to reply and send back the flow to MyFriend, I want to NAT him with the IP of MyOpenbsd (source nat) As you can see when MyFriend sends its SYN to MyOpenbsd I need to change source/destination IP to natsource/natdestination IP. I know this setup is f*** up but I don't have hand on many elements. PS: Since my last mail, I found a workaround which is a SSH tunnel from MyFriend to MyOpenbsd and it worked perfectly. However I'd be interested to know what can be done with PF Regards Le jeudi 9 mai 2019 à 17:57:18 UTC+2, Chris Cappuccio <ch...@nmedia.net> a écrit : Mik J [mikyde...@yahoo.fr] wrote: > Hello, > Is it possible to nat both source and destination IP on the same openbsd pf > instance aka double nat ? > If yes do someone has an example of it ? are you trying to do "hairpin" NAT? what are you trying to accomplish?