nat before ipsec ...

Zeus Panchenko zeus at ibs.dn.ua
Fri Dec 27 07:22:12 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> target <-> world <--> em0 - freebsd - vlanA <--> LAN
>     ^                                        ^   net A
>     |					       |
>     +- netC -.-.-.-.- IPSec -.-.-.-.- net B -+
> ...
> where:
> A1 is some address from net A
> B2 is some address from net B
> C3 is some address from net C
>
> I can see incoming packets from A1 to C3 on interface vlanA, but after
> that, packets "disappears", I can not find them any other interface and
> no return packets

finally I was able to get the packets redirected (actually after pf restart,
not just reload) and now I have A1 packet going to C3 on vlanA

# tcpdump -ni tun10 host C3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun10, link-type NULL (BSD loopback), capture size 65535 bytes
07:10:57.641536 IP A1 > C3: ICMP echo request, id 59179, seq 8913, length 64
07:10:58.641467 IP A1 > C3: ICMP echo request, id 59179, seq 8914, length 64
07:10:59.641882 IP A1 > C3: ICMP echo request, id 59179, seq 8915, length 64

and further I can see them on the interface, IPSec configured on:

# tcpdump -ni em1 host C3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes
07:12:28.638456 IP A1 > C3: ICMP echo request, id 59179, seq 9004, length 64
07:12:29.636961 IP A1 > C3: ICMP echo request, id 59179, seq 9005, length 64
07:12:30.637647 IP A1 > C3: ICMP echo request, id 59179, seq 9006, length 64

but these packets *does not passing through the nat* ...

in pf.conf I do:

rdr pass on $if_vpn from A1 to C -> $target-side-of-ipsec
binat on $if_vpn from A1 to C3 -> B2

and net.inet.ipsec.filtertunnel is set to 1

is bellow URL the answer?

http://forum.pfsense.org/index.php/topic,49800.msg265106.html#msg265106


- -- 
Zeus V. Panchenko				jid:zeus at im.ibs.dn.ua
IT Dpt., I.B.S. LLC					  GMT+2 (EET)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (FreeBSD)

iEYEARECAAYFAlK9KpgACgkQr3jpPg/3oyrcbgCfe7+k8VGcoqpQkbjg5uTmGn/A
xTUAoLLjMCD0GEcRWcAD61mXWMNZ+4ZQ
=2rY3
-----END PGP SIGNATURE-----

More information about the freebsd-pf mailing list