Re: nat before ipsec ...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 target - world -- em0 - freebsd - vlanA -- LAN ^^ net A || +- netC -.-.-.-.- IPSec -.-.-.-.- net B -+ ... where: A1 is some address from net A B2 is some address from net B C3 is some address from net C I can see incoming packets from A1 to C3 on interface vlanA, but after that, packets disappears, I can not find them any other interface and no return packets finally I was able to get the packets redirected (actually after pf restart, not just reload) and now I have A1 packet going to C3 on vlanA # tcpdump -ni tun10 host C3 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on tun10, link-type NULL (BSD loopback), capture size 65535 bytes 07:10:57.641536 IP A1 C3: ICMP echo request, id 59179, seq 8913, length 64 07:10:58.641467 IP A1 C3: ICMP echo request, id 59179, seq 8914, length 64 07:10:59.641882 IP A1 C3: ICMP echo request, id 59179, seq 8915, length 64 and further I can see them on the interface, IPSec configured on: # tcpdump -ni em1 host C3 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes 07:12:28.638456 IP A1 C3: ICMP echo request, id 59179, seq 9004, length 64 07:12:29.636961 IP A1 C3: ICMP echo request, id 59179, seq 9005, length 64 07:12:30.637647 IP A1 C3: ICMP echo request, id 59179, seq 9006, length 64 but these packets *does not passing through the nat* ... in pf.conf I do: rdr pass on $if_vpn from A1 to C - $target-side-of-ipsec binat on $if_vpn from A1 to C3 - B2 and net.inet.ipsec.filtertunnel is set to 1 is bellow URL the answer? http://forum.pfsense.org/index.php/topic,49800.msg265106.html#msg265106 - -- Zeus V. Panchenko jid:z...@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET) -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlK9KpgACgkQr3jpPg/3oyrcbgCfe7+k8VGcoqpQkbjg5uTmGn/A xTUAoLLjMCD0GEcRWcAD61mXWMNZ+4ZQ =2rY3 -END PGP SIGNATURE- ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to freebsd-pf-unsubscr...@freebsd.org
nat before ipsec ...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 hi, please, may somebody help with the subj? is it possible at all on FreeBSD with pf? I need to binat some of my LAN (network A) ip addresses to some of secure communication addresses (network B) for, behind IPSec network C, access target - world -- em0 - freebsd - vlanA -- LAN ^^ net A || +- netC -.-.-.-.- IPSec -.-.-.-.- net B -+ when I land some B network address on freebsd box, than everything from that address works but, when I try to bi/nat some network A address to some network B address, it is not in pf.conf I try this: binat on vlanA from A1 to C3 - B2 where: A1 is some address from net A B2 is some address from net B C3 is some address from net C I can see incoming packets from A1 to C3 on interface vlanA, but after that, packets disappears, I can not find them any other interface and no return packets as far as I know I need nat before vpn ... but I was not able to find how to do that ... can I do that with pf on freebsd? I run FreeBSD 9.2-PRERELEASE #6 r255856: amd64 with system pf please, help me understand what am I missing ... - -- Zeus V. Panchenko jid:z...@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET) -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlK7H24ACgkQr3jpPg/3oypenQCeI6R+2lILmP0UxDT273T1S8nU 078AoJ3n1NRfU4L0pSrOKSDYovMpbIRF =2FPq -END PGP SIGNATURE- ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to freebsd-pf-unsubscr...@freebsd.org
Re: nat before ipsec ...
If I understand you correctly, you want binat inside IPSec and therefore you must enable filtering in tunnel. This will help you: net.inet.ipsec.filtertunnel=1 Cheers, w --- Original message --- From: Zeus Panchenko z...@ibs.dn.ua Date: 25 December 2013, 20:11:05 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 hi, please, may somebody help with the subj? is it possible at all on FreeBSD with pf? I need to binat some of my LAN (network A) ip addresses to some of secure communication addresses (network B) for, behind IPSec network C, access target - world -- em0 - freebsd - vlanA -- LAN ^ ^ net A | | +- netC -.-.-.-.- IPSec -.-.-.-.- net B -+ when I land some B network address on freebsd box, than everything from that address works but, when I try to bi/nat some network A address to some network B address, it is not in pf.conf I try this: binat on vlanA from A1 to C3 - B2 where: A1 is some address from net A B2 is some address from net B C3 is some address from net C I can see incoming packets from A1 to C3 on interface vlanA, but after that, packets disappears, I can not find them any other interface and no return packets as far as I know I need nat before vpn ... but I was not able to find how to do that ... can I do that with pf on freebsd? I run FreeBSD 9.2-PRERELEASE #6 r255856: amd64 with system pf please, help me understand what am I missing ... - -- Zeus V. Panchenko jid:z...@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET) -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlK7H24ACgkQr3jpPg/3oypenQCeI6R+2lILmP0UxDT273T1S8nU 078AoJ3n1NRfU4L0pSrOKSDYovMpbIRF =2FPq -END PGP SIGNATURE- ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to freebsd-pf-unsubscr...@freebsd.org ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to freebsd-pf-unsubscr...@freebsd.org
Re: nat before ipsec ...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 wishmaster artem...@ukr.net wrote: If I understand you correctly, you want binat inside IPSec and I'm not sure ... what I want is to nat packets from net A before they are entering IPSec, as if they originate not on the freebsd host so, they enters IPSec already as net B packets ... - -- Zeus V. Panchenko jid:z...@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET) -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlK7QRsACgkQr3jpPg/3oyoDeACglvxBxGXrq1/F5UxjKBIZLuj2 jN8AoNSp+doX77JlS1o4uFnhyQT0C4sC =HPrd -END PGP SIGNATURE- ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to freebsd-pf-unsubscr...@freebsd.org
