On 3/23/2014 10:57 AM, Karl Denninger wrote:
On 3/23/2014 12:01 AM, Karl Denninger wrote:On 3/22/2014 5:44 PM, Karl Denninger wrote:FreeBSD-STABLE 10 r263037MIt *looks* like anything coming in through IPSEC and being decoded in there never goes through the ipfw chain at all.....This may be addressed by PR185876.... checking.Or not.... Now the packets just disappear entirely. Still investigating....
Got it.With the patches you have to be verrrry careful with the nat, and make sure you first explicitly *exclude* NAT processing from IPSEC-related packets (which DO have their tags properly carried forward now) and then you must also explicitly process NAT *outbound only* for IPSEC-outbound packets that arrive coming inward.
In other words, with pr185876 on your system, assuming 192.168.2.0/24 is your IPSEC pool and the Internet-accessible interface is em1, you need the following fragments if you want NAT to the Internet at-large to work for IPSEC-connected clients:
01700 divert 8668 ip4 from any to any not ipsec via em1 01705 divert 8668 ip4 from 192.168.2.0/24 to any ipsec xmit em1To process all NAT-related traffic EXCEPT outbound IPSEC-related, and then to explicitly process *only* outbound IPSEC related packets (and not inbound ones, which are picked up by the first rule already)
That works.pr185876's fixes must be in your system, and because they change header definitions you must rebuild world, not just the kernel.
-- -- Karl k...@denninger.net
smime.p7s
Description: S/MIME Cryptographic Signature
