Want to NAT over VPN but not the gateway's own traffic

Michael Sierchio kudzu at tenebras.com
Sat Mar 5 16:35:01 UTC 2016

This is indeed possible. I've done this with a combination of ipfw, kernel
nat, and firewall rules that explicitly use different route tables (man

This is a brief snippet from a firewall that was routing different traffic
differently, and using NAT on the OpenVPN tunneled traffic.


setfib 1 route -q add default -interface $IF_TUN

$FW nat 100 config if $if_tun
$FW add nat 100 ip from any to any in  recv $if_tun
$FW add setfib 1 ip from $INSIDE_NET to any
$FW add nat 100 ip from any to any out xmit $if_tun

On Sat, Mar 5, 2016 at 2:55 AM, Malcolm Matalka <mmatalka at gmail.com> wrote:

> I'm trying to have the following setup:
> I have a host that is acting as a WiFi access point and then NATing
> traffic to the internet.  That host is running an OpenVPN client.  So
> wlan0 traffic is NAT'd to tun0.  That is exactly what I want.  However,
> I would like to keep this setup of the WiFi AP going through the VPN but
> the traffic of the machine itself to go not go through the VPN.
> Is this possible?  How?  I'm not sure what information I actually need
> to get proper help.
> /Malcolm
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe at freebsd.org"

More information about the freebsd-questions mailing list