NAT for use with OpenVPN

Phil Staub phil at staub.us
Wed Nov 13 21:31:40 UTC 2019 

On Wed, Nov 13, 2019 at 4:13 PM Morgan Wesström <
freebsd-database at pp.dyndns.biz> wrote:

> > |iptables --table nat --append POSTROUTING --out-interface eth0 -j
> > MASQUERADE
>
> As I understand iptables, this is the normal/only way to provide NAT for
> any subnet.
>
> > ||One of the comments in another tutorial I was reading says that the
> > MASQUERADE rule is resource intensive, but if I understand it correctly,
> > the only alternative would be to put a specific rule in place for each
> > client. I don't think I want to do that
>
> I wonder what their reference was. When you're using iptables you only
> have MASQUERADE to chose from. Even my 20 year old Netgear RT-314 did
> NAT without problems...
>

See my follow up message. It's the SNAT directive. The tutorial I was
looking at was

https://www.karlrupp.net/en/computer/nat_tutorial

>
> > ||Comments?
>
> Well, I am concerned we couldn't identify what mechanism was responsible
> for the already working NAT for 192.168.1.0/24. We wouldn't want to end
> up with two competing mechanisms activated at the same time and the rule
> you added will provide NAT for 10.8.0.0/24 as well as 192.168.1.0/24 -
> the latter which was already working.
>

True enough.


> There should be init scripts on that router to start all services. Maybe
> they can give a clue on what's going on and how Netgear choses to
> activate their services.
>

This thing seems to have a very convoluted startup. Not at all like most
Linux systems I've seen. The file I found where they had added some rules
was definitely not where I expected it to be, and there are no MASQUERADE
commands in it.

>
> Whatever you do, just verify that the router's admin interface is not
> accessible from the Internet after you've added your rules!
>

Definitely. I assume the way to test that would be to attempt to access my
router from the outside the same way I would when I log in from the inside.

Phil


> /Morgan
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>

More information about the freebsd-pf mailing list