Hello, I've setup an VPN tunnel with pubblic IPs to default route.
# netstat -rnf encap Routing tables Encap: Source Port Destination Port Proto SA(Address/Proto/Type/Direction) 172.16.15.6/32 0 172.16.16.6/32 0 0 172.16.15.6/esp/use/in 172.16.16.6/32 0 172.16.15.6/32 0 0 172.16.15.6/esp/require/out default 0 193.189.180.128/27 0 0 172.16.15.6/esp/use/in 193.189.180.128/27 0 default 0 0 172.16.15.6/esp/require/out Everything works as expected, all hosts in my network have access to internet. The only thing I am not sure is how to setup natting. What is my external interface in this example? bge0 as ethernet interface or enc0? nat on enc0 from $int_if:network to any -> 193.189.180.129 Diagram: 193.189.180.129/27 (em1) hostA 172.16.16.6 (bge0) -> VPN -> hostB -> default route 10.1.1.11 (bge1) /etc/mygate points to 193.189.180.129 Debug section: Ping from LAN looks on hostA as: # tcpdump -i bge1 icmp tcpdump: listening on bge1, link-type EN10MB 10:30:14.902581 10.1.1.104 > fk-in-f99.google.com: icmp: echo request 10:30:15.912678 10.1.1.104 > fk-in-f99.google.com: icmp: echo request 10:30:16.922770 10.1.1.104 > fk-in-f99.google.com: icmp: echo request 10:30:17.932853 10.1.1.104 > fk-in-f99.google.com: icmp: echo request enc0, bge0 shows nothing, so packets are not getting there. # tcpdump -i em1 icmp tcpdump: listening on em1, link-type EN10MB 10:35:52.650165 10.1.1.104 > fk-in-f104.google.com: icmp: echo request 10:35:53.660104 10.1.1.104 > fk-in-f104.google.com: icmp: echo request 10:35:54.670196 10.1.1.104 > fk-in-f104.google.com: icmp: echo request 10:35:55.680285 10.1.1.104 > fk-in-f104.google.com: icmp: echo request icmp ends on the wrong interface. If I remove my default route: route -qn delete default 193.189.180.129 # tcpdump -i bge1 icmp tcpdump: listening on bge1, link-type EN10MB 10:46:46.103245 10.1.1.104 > fk-in-f99.google.com: icmp: echo request 10:46:46.103255 10.1.1.11 > 10.1.1.104: icmp: host fk-in-f99.google.com unreachable 10:46:47.113334 10.1.1.104 > fk-in-f99.google.com: icmp: echo request 10:46:47.113344 10.1.1.11 > 10.1.1.104: icmp: host fk-in-f99.google.com unreachable 10:46:48.123425 10.1.1.104 > fk-in-f99.google.com: icmp: echo request 10:46:48.123434 10.1.1.11 > 10.1.1.104: icmp: host fk-in-f99.google.com unreachable It looks like hostA is missing that route now? What should I set for default gateway and NAT to send packets on the right interface? Regards, Mitja