> I'm confused how to replace "$some_address". Isn't it "(egress)" ? "(egress)" or your_WAN_IP
On Fri, 7 Dec 2018 10:00:07 +0100 Thuban <thu...@yeuxdelibad.net> wrote: > * Stuart Henderson <s...@spacehopper.org> le [06-12-2018 13:44:50 +0000]: > > On 2018-12-06, Thuban <thu...@yeuxdelibad.net> wrote: > > > * Thuban <thu...@yeuxdelibad.net> le [02-12-2018 19:16:09 +0100]: > > >> Hi, > > >> I need help to write a correct rule in pf.conf. > > >> > > >> I want : > > >> > > >> A -----> B ------> web > > >> > > >> The appearing IP of A is the B's one on the web. > > >> > > >> I managed to configure iked on A and B using default pubkeys according > > >> to Stuart Henderson advices. > > >> > > >> iked.conf on A : > > >> > > >> ikev2 active ipcomp esp \ > > >> from 192.168.100.0/16 to 0.0.0.0/0 \ > > >> peer "xx.xx.xx.xx" \ > > >> srcid "m...@moria.lan" \ > > >> dstid "B-hostname.tld" \ > > >> tag IKED > > >> > > >> iked.conf on B : > > >> > > >> ikev2 "warrior" passive esp \ > > >> from 0.0.0.0/0 to 0.0.0.0/0 \ > > >> local xx.xx.xx.xx peer any \ > > >> srcid "B-hostname.tld" \ > > >> tag IKED > > >> > > >> Auth works as expected : > > >> > > >> # iked -vvd > > >> .. > > >> sa_state: VALID -> ESTABLISHED from xx.xx.xx.xx:4500 to > > >> 192.168.100.122:4500 policy 'policy1' > > >> .. > > >> > > >> > > >> But I can't reach internet from A through B. > > >> > > >> Here is the pf.conf on B (at least a small part of it) > > >> > > >> pass out on egress \ > > >> from any to any tagged IKED \ > > >> nat-to (egress) > > >> > > >> > > > > > > I'm still stuck at the same point. > > > Can someone give me an example of a working configuration natting ot > > > Internet? > > > > I used this, > > > > pass in on enc0 inet from $some_net > > pass out quick on egress inet received-on enc0 nat-to $some_address > > > > Also I don't remember what you've already said you checked, but > > make sure you have sysctl net.inet.ip.forwarding=1. > > > > Thank you. > Yes, I do have ip.forwarding=1. > > I'm confused how to replace "$some_address". Isn't it "(egress)" ? > > Regards. > -- radek
