Em Fri, 19 Sep 2025 07:40:35 +0200 (CEST), Thomas Dettbarn <[email protected]> escreveu:
| doee it work when you disable the firewall? | | pfctl -d Hi Thomas, # pfctl -F all 1 tables deleted. rules cleared 1 states cleared source tracking entries cleared pf: statistics cleared pf: interface flags reset # pfctl -d pfctl: pf not enabled Rebooted the corporated laptop. It gets the right internal IPv4 address, netmask and gateway. No connection to Internet. Can't connect to the Fortinet server. Thank you, Luís Mendes | Luis Mendes <[email protected]> hat am 19.09.2025 01:21 CEST geschrieben: | > | > | > Hi, | > | > I've a corporate laptop that uses Forticlient to establish a VPN | > connection to corporate resources. | > | > When working at home, when this corporate laptop is connected through the ISP | > router, there's no problem connecting to the VPN server. | > | > Now, I'm setting up my own OpenBSD 7.7 amd64 router/firewall. | > | > Using simple NAT rules, other systems can connect fine to the Internet, also the corporate | > laptop can connect fine for everything except the VPN resources. | > When I try to connect the VPN, Forticlient 2.7.8.1140 returns: | > "a network error prevented updates from being downloaded". | > | > I asked in the community Fortinet forum about this and was told by a power user that: | > (https://community.fortinet.com/t5/Support-Forum/How-to-configure-home-router-firewall-to-allow-Forticlient/m-p/411072) | > | > """ | > No special rule needed, except need to open the outgoing connection to the remote SSL VPN server IP:port (usually TCP 443 or 10443). | > | > NAT is fully supported. | > """ | > | > | > Here's my router/firewall configuration: | > | > # uname -a | > OpenBSD futro2.Home 7.7 GENERIC.MP#625 amd64 | > | > # sysctl -a | grep forwarding | > net.inet.ip.forwarding=1 | > net.inet.ip.mforwarding=0 | > net.inet6.ip6.forwarding=0 | > net.inet6.ip6.mforwarding=0 | > | > # dhcpd -f | > Multiple interfaces match the same subnet: em0 ure0 | > Multiple interfaces match the same shared network: em0 ure0 | > Listening on ure0 (192.168.1.253). | > Can't listen on re0 - dhcpd.conf has no subnet declaration for 17.7.7.7. | > Can't listen on em1 - it has no IP address. | > Listening on em0 (192.168.1.252). | > DHCPREQUEST for 192.168.1.7 from cc:....... via ure0 | > DHCPACK on 192.168.1.7 to cc:....... via ure0 | > DHCPREQUEST for 192.168.1.12 from 38:........... via ure0 | > DHCPACK on 192.168.1.12 to 38:.......... via ure0 | > DHCPINFORM from 192.168.1.12 | > DHCPACK to 192.168.1.12 (38:...........) via ure0 | > | > DHCPINFORM from 192.168.1.12 | > DHCPACK to 192.168.1.12 (38:............) via ure0 | > | > The corporate laptop receives 192.168.1.12 IP. | > | > | > # pfctl -s rules | > match in all scrub (no-df random-id max-mss 1440) | > match out on egress inet from ! (egress:network) to any nat-to (egress:0) round-robin | > block drop in quick on egress from <martians> to any | > block return out quick on egress from any to <martians> | > pass out all flags S/SA | > pass quick on ure0 all flags S/SA | > block drop in quick on ! egress inet from 17.7.7.0/24 to any | > block drop in quick inet from 177.7.7..7 to any | > block drop in quick on ! re0 inet from 17.7.7.0/24 to any | > pass inet proto icmp all | > anchor "ftp-proxy/*" all | > pass in quick inet proto tcp from any to any port = 21 flags S/SA divert-to 127.0.0.1 port 8021 | > anchor "relayd/*" all | > pass out on re0 inet from 192.168.1.0 to any flags S/SA nat-to (re0) round-robin | > pass in log on egress proto tcp from any to (egress) port = 22 flags S/SA | > pass in on ure0 proto tcp from any to any port = 80 flags S/SA | > pass in on ure0 proto tcp from any to any port = 443 flags S/SA | > pass in log on ure0 inet proto tcp from 192.168.1.0 to any port = 5901 flags S/SA | > pass in quick on ure0 inet proto tcp from 192.168.1.0 to any port = 22104 flags S/SA | > pass in quick on ure0 inet proto udp from any port = 67 to any port = 68 | > pass in quick on ure0 proto tcp from any to any port = 853 flags S/SA | > pass in quick on ure0 proto udp from any to any port = 53 | > pass in quick on re0 proto tcp from any to any port = 853 flags S/SA | > pass in quick on re0 proto udp from any to any port = 53 | > block return in on ! lo0 proto tcp from any to any port 6000:6010 | > | > | > It seems that 'pfctl -s nat' is no longer available. | > | > | > Can you please tell me what am I missing or doing wrong? | > | > Thanks, | > | > | > Luís Mendes | >
