PF NAT problems.
Balázs Mátéffy
repcsike at gmail.com
Sun Nov 15 21:23:14 UTC 2009
Hello,
I'm struggling with pf nat to work when connecting to ipsec vpns, when I
have a pf and pfnat gateway on my LAN side. Sometimes it's ok to some
networks, but most of the time it's not. Usually I'm using Cisco vpn client,
and connecting to cisco ASA devices and sometimes pptp and l2tp vpn with the
client from Windows XP.
I tried passing ipsec relevant packets through the pf fw but if I use ipnat
it works perfectly without any added rules.
Somewhere I found that I have to statically map port 500 for pf to map that
to the external interface as well(and don't change port number), but I
couldn't make that work.
Relevant part of my pf.conf:
I just pasted the macros, because I think the problem lies somewhere else.
prv_ads = 192.168.0.0/24
nat on $ext_if proto $nat_p from $prv_ads to any -> ($ext_if:0) #we need
this to work with dyn ip and pppoe tun0
##Some port forwarding rules deleted from here...
rdr-anchor miniupnpd
ipnat.conf:
map tun0 192.168.0.0/24 -> 0/32 proxy port ftp ftp/tcp
map tun0 192.168.0.0/24 -> 0/32 portmap tcp/udp 40000:65000
map tun0 192.168.0.0/24 -> 0/32
#some port redirection deleted from here.
Thanks for any help,
B.
More information about the freebsd-pf
mailing list