On 08/29/2008 11:11:51 AM, [EMAIL PROTECTED] wrote:
On Aug 29, 3:10=A0pm, [EMAIL PROTECTED] (Karl O. Pinc) wrote:
> On 08/28/2008 08:13:50 AM, [EMAIL PROTECTED] wrote:
>
>
>
> > On Aug 28, 12:45=3DA0am, [EMAIL PROTECTED] wrote:
> > > # =3DA0 =3DA0 =3DA0 $OpenBSD: pf.conf,v 1.35 2008/02/29 17:04:55
reyk=
Exp
> > $
> > > #Map internal addresses to external
> > > binat on $tun_if proto {tcp, udp, icmp} from $intaddr_irishcoffe
to
> > > any -> $tunaddr_irishcoffe
> > > binat on $tun_if proto {tcp, udp, icmp} from $intaddr_bloodymary
to
> > > any -> $tunaddr_bloodymary
> > > binat on $tun_if proto {tcp, udp, icmp} from
> > $intaddr_longislandicetea
> > > to any -> $tunaddr_longislandicetea
>
> > > #Traffic on addresses not mapped with BINAT should be NATed via
vr0
> > > (ie. not be pushed via the tunnel but rather pushed directly on
the
> > > DSL line)
> > > #The below does not work though
> > > nat on $ext_if from $int_if:network to any -> { $ext_if }
>
> > > #Enabling the below makes it possible to access the Internet via
> > > $ext_if from 10.0.0.10 but only 10.0.0.10.
> > > #This is what I want with NAT above but for the whole
10.0.0.0/24
> > net
> > > (except BINATed addresses).
> > > #binat on $tun_if proto {tcp, udp, icmp} from 10.0.0.10 to any
->
> > > $ext_if:0
>
> > > nat-anchor "ftp-proxy/*"
> > > rdr-anchor "ftp-proxy/*"
> > > rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1
port
> > > 8021
> > If I made the NAT rule look like this it worked:
>
> > nat on $tun_if from $int_if:network to any -> $ext_if
>
> > Now the uestion is why....
>
> It's because your binat rule has already translated the datagrams
> IP addresses before your nat rule sees the datagrams, so as
> originally written the nat rule does not match.
>
> FYI, binat rules are done before nat rules regardless of the
> order in which they appear in pf.conf.
>
> Karl <[EMAIL PROTECTED]>
> Free Software: =A0"You don't pay back, you pay forward."
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 -- Robert A. Heinlein
Thank you very much for the reply
But... The BINAT rule is between $int_if and $tun_if
And the NAT rule is between $int_if and $ext_if
I cannot see how the BINAT rule could translate anything which makes
this not work.
You're right about what IPs should be affected by what rule,
I was not reading closely enough. My mistake. Sorry.
BINAT only handles 3 ip addresses in the 10.0.0.0/24 net.
Then the rest of the addresse is not affected I thought?
Wouldnt the NAT rule handle the rest of them then?
and push it over to the $ext_if interface?
The NAT rules don't do any "pushing" through interfaces,
that's what the routing tables do.
Clearly something's sending your traffic through the
tunnel, or the binat rule you added wouldn't have
had any effect.
I have some suggestions.
Get the firewall working without the tunnels, then add
the tunnels. I suspect something in OpenVPN is
messing with the way your traffic is routed in a way
you don't expect.
Begin with a "block all". "block in", "pass out" works
when you've only 2 interfaces, but does not scale well
to multiple interfaces. Better to retain finer control
and be sure you know where all traffic is going and why.
You may even want "set state-policy if-bound" to be sure
you know what's going on, then relax the policy (and possibly
remove rules and/or tags/policy based filters) if performance
is an issue.
Karl <[EMAIL PROTECTED]>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein
