Am 19.07.2017 um 12:12 schrieb Andrey V. Elsukov:
Try to add the following rule:
ipfw add 179 nat 1 log all from 10.24.66.0/24 to 10.26.1.1 in recv enc0
This rule will pass a decrypted packet to the NAT instance, that will
check in the states table should a packet be translated back or not.
You need to have enc0 interface in UP state and sysctl variable
net.enc.in.ipsec_filter_mask should be set to 1 or 2.
After translation on the enc0 a packet will be returned to the IPsec
subsystem, that will queue it for further processing in the netisr.
Since destination address become foreign, it will be forwarded by IP stack.
Hi,
I tried this but still no luck. Packets get seen by ipfw -ta list:
00179 139 3892 Wed Jul 19 14:00:21 2017 nat 1 log ip from
10.26.2.0/24 to 10.24.66.0/24
00179 143 4228 Wed Jul 19 14:00:21 2017 nat 2 log ip from
10.24.66.0/24 to 10.26.1.1 in recv enc0
65535 5891 1716730 Wed Jul 19 14:00:21 2017 allow ip from any to any
But there's nothing on the internal IF. Also played around with
filter_mask and also one_pass.
Also tried (as you see above) with a second nat instance where reverse
is disabled.
Do you have any other clue?
Really appreciate your help, thanks!
Michael
_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
