NAT for use with OpenVPN

Phil Staub phil at staub.us
Wed Nov 13 20:45:59 UTC 2019


I believe I'm getting close.

I found a tutorial at

https://www.howtoforge.com/nat_iptables

... that gives identifies a couple rules to enable IP Forwarding and
Masquerading:

iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT

This results in the following:

# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  anywhere             anywhere
# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
GUSTER     tcp  --  anywhere             anywhere             tcp dpt:80
GUSTER     tcp  --  anywhere             anywhere             tcp dpt:443
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain GUSTER (2 references)
target     prot opt source               destination
#

I'm not sure about the ACCEPT rule. I think it might be too general,
but I'll do some more research on that.

I am now able to ping 8.8.8.8 from my phone, and I used
'whatismyip.com' to verify that it sees my router's public IP address.

I also have a handle on where to put this so that it survives a router reboot.

One of the comments in another tutorial I was reading says that the
MASQUERADE rule is resource intensive, but if I understand it
correctly, the only alternative would be to put a specific rule in
place for each client. I don't think I want to do that

Comments?

Phil


On Wed, Nov 13, 2019 at 11:03 AM Morgan Wesström <
freebsd-database at pp.dyndns.biz> wrote:

> > # tcpdump -nvvi eth0 icmp
> > tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size
> > 65535 bytes
> > 15:22:29.614953 IP (tos 0x0, ttl 62, id 5638, offset 0, flags [DF],
> > proto ICMP (1), length 84)
> >      10.8.0.8 > 8.8.8.8 <http://8.8.8.8>: ICMP echo request, id 13, seq
> > 1, length 64
> > Are you thinking that the ping should be coming from 192.168.1.200 (my
> > OpenVPN server machine)? If not, how else would you know whether the
> > address is being NATed?
>
> The packet is NATed when your Netgear router exchange the source ip
> address 10.8.0.8 with its own public external ip address 67.175.144.37.
>
> I you ping from any machine on your 192.168.1.0/24 subnet you will see
> those packets as "67.175.144.37 > 8.8.8.8" on your external interface
> regardless of what ip is the source on the LAN. This is what should've
> been the case also from 10.8.0.0/24 if the router was doing its job
> properly.
>
> If you listen with tcpdump on the internal interface, before NAT takes
> place, you will still see the original private ip addresses as source
> addresses.
>
> Private ip addresses (10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16)
> can't be routed on the Internet (RFC1918). NAT means that when your
> router receives a packet on its internal interface, destined for the
> Internet, with one of those private ip addresses in the source field, it
> exchanges it with its own external ip before forwarding it to your ISP.
> It then keeps a table of what internal ip communicates with what ip on
> the Internet. When a reply returns it's matched against this table and
> if the router finds that this packet is meant for a computer on your LAN
> it will now reverse the NAT procedure and exchange its external ip
> (which is now the destination address) with the correct internal ip and
> put the packet on your LAN.
>
> The reason you can't see pings from your internal ips to your external
> ip on the external interface is simply because those packets are never
> actually put on that interface physically. When those pings reach the
> internal interface, the ip stack in the router realizes that the ping is
> meant for itself and immediately responds on the internal interface.
> tcpdump listens to what's actually put on the physical interface and
> won't see those packets while listening on eth0. Everything you have
> shown me so far is consistent with our suspicion that the Netgear router
> only provides NAT for 192.168.1.0/24.
>
> I have only rudimentary knowledge of iptables but I'm convinced your
> problem will be solved if you can find a way to add a NAT rule for
> 10.8.0.0/24 or better yet, for any subnet existing on your LAN.
>
> /Morgan
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>


More information about the freebsd-pf mailing list