I understand what you're saying here. I had hoped this wouldn't be a problem, since I didn't have a problem with the VPN in my old router, though I agree that this is NOT the same configuration.
NAT is usually only applied to packets arriving/departing on the physical external interface. When you access your external router ip from your LAN, no packets actually touch the physical interface but is only handled internally in the ip stack. I know there has been some SOHO routers on the market that had a setting to work around this but it violated a bunch of RFCs ofc.
The problem I have with this explanation is that when I connect to the VPN from my phone with the WiFi turned off, it connects via an outside IP that is NOT my local router. In this case, the ping of 8.8.8.8 still fails.
Ok, this is interesting. If I understood your previous post, from your vpn client you can ping everything on your local LAN up to and including the external ip of your router? This tells me that everything is correctly configured on your LAN, including the routing tables in your Netgear router. If the route was missing there you wouldn't get a reply from the router since it would have no idea where to send packets with a 10.8.0.0/24 destination. Right now my best guess is that your router only do NAT for the subnet directly attached to its LAN port (192.168.1.0/24) and just lets packets from 10.8.0.0/24 through without modification. Your ISP will promptly drop such packets. The only way to tell is if your router allows monitoring of the packets on its interfaces so we can check what source/destination ip addresses are present in the packets passing through it. You can verify on the FreeBSD machine that at least those ping packets leave it correctly with a source address of 10.8.0.5 (vpn client ip) and a destination address of 8.8.8.8.
# tcpdump -ni em0 icmp
I certainly appreciate all your help on this! have definitely filled in a lot of blanks in my knowledge.
You're welcome, Phil. I've been using FreeBSD as my router/firewall for the past 15+ years but my knowledge is limited to things I experience in my own environment so it's not always that easy to help others.
A general suggestion, if you have the time and interest to install and configure FreeBSD, you'd be better off to replace your Netgear router with a FreeBSD machine. The major benefit is that there will always be security updates available whereas Netgear and other SOHO manufacturers will abandon their products after a couple of years. You will also have all the tools available to monitor and analyse your traffic which will help you with troubleshooting. You also have the flexibility to install any software available for the platform and configure it to your own needs. If the command prompt is scary, there are a few graphical distributions that are based on FreeBSD, like pfSense for example.
/Morgan _______________________________________________ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
