Hi, I've a corporate laptop that uses Forticlient to establish a VPN connection to corporate resources.
When working at home, when this corporate laptop is connected through the ISP router, there's no problem connecting to the VPN server. Now, I'm setting up my own OpenBSD 7.7 amd64 router/firewall. Using simple NAT rules, other systems can connect fine to the Internet, also the corporate laptop can connect fine for everything except the VPN resources. When I try to connect the VPN, Forticlient 2.7.8.1140 returns: "a network error prevented updates from being downloaded". I asked in the community Fortinet forum about this and was told by a power user that: (https://community.fortinet.com/t5/Support-Forum/How-to-configure-home-router-firewall-to-allow-Forticlient/m-p/411072) """ No special rule needed, except need to open the outgoing connection to the remote SSL VPN server IP:port (usually TCP 443 or 10443). NAT is fully supported. """ Here's my router/firewall configuration: # uname -a OpenBSD futro2.Home 7.7 GENERIC.MP#625 amd64 # sysctl -a | grep forwarding net.inet.ip.forwarding=1 net.inet.ip.mforwarding=0 net.inet6.ip6.forwarding=0 net.inet6.ip6.mforwarding=0 # dhcpd -f Multiple interfaces match the same subnet: em0 ure0 Multiple interfaces match the same shared network: em0 ure0 Listening on ure0 (192.168.1.253). Can't listen on re0 - dhcpd.conf has no subnet declaration for 17.7.7.7. Can't listen on em1 - it has no IP address. Listening on em0 (192.168.1.252). DHCPREQUEST for 192.168.1.7 from cc:....... via ure0 DHCPACK on 192.168.1.7 to cc:....... via ure0 DHCPREQUEST for 192.168.1.12 from 38:........... via ure0 DHCPACK on 192.168.1.12 to 38:.......... via ure0 DHCPINFORM from 192.168.1.12 DHCPACK to 192.168.1.12 (38:...........) via ure0 DHCPINFORM from 192.168.1.12 DHCPACK to 192.168.1.12 (38:............) via ure0 The corporate laptop receives 192.168.1.12 IP. # pfctl -s rules match in all scrub (no-df random-id max-mss 1440) match out on egress inet from ! (egress:network) to any nat-to (egress:0) round-robin block drop in quick on egress from <martians> to any block return out quick on egress from any to <martians> pass out all flags S/SA pass quick on ure0 all flags S/SA block drop in quick on ! egress inet from 17.7.7.0/24 to any block drop in quick inet from 177.7.7..7 to any block drop in quick on ! re0 inet from 17.7.7.0/24 to any pass inet proto icmp all anchor "ftp-proxy/*" all pass in quick inet proto tcp from any to any port = 21 flags S/SA divert-to 127.0.0.1 port 8021 anchor "relayd/*" all pass out on re0 inet from 192.168.1.0 to any flags S/SA nat-to (re0) round-robin pass in log on egress proto tcp from any to (egress) port = 22 flags S/SA pass in on ure0 proto tcp from any to any port = 80 flags S/SA pass in on ure0 proto tcp from any to any port = 443 flags S/SA pass in log on ure0 inet proto tcp from 192.168.1.0 to any port = 5901 flags S/SA pass in quick on ure0 inet proto tcp from 192.168.1.0 to any port = 22104 flags S/SA pass in quick on ure0 inet proto udp from any port = 67 to any port = 68 pass in quick on ure0 proto tcp from any to any port = 853 flags S/SA pass in quick on ure0 proto udp from any to any port = 53 pass in quick on re0 proto tcp from any to any port = 853 flags S/SA pass in quick on re0 proto udp from any to any port = 53 block return in on ! lo0 proto tcp from any to any port 6000:6010 It seems that 'pfctl -s nat' is no longer available. Can you please tell me what am I missing or doing wrong? Thanks, Luís Mendes
