Hello, I am lost in a routing problem or a very simple NAT trouble I can't resolve. OpenBSD 4.0 GENERIC kernel except for the RAID. My network looks like this:
ISP -- router1 -- VPN -- router2 (em1: 193.189.180.129) (bge1: 10.1.1.11) It looks like NAT isn't working. Test: # ping -I 10.1.1.11 -c2 209.85.129.147 PING 209.85.129.147 (209.85.129.147): 56 data bytes --- 209.85.129.147 ping statistics --- 2 packets transmitted, 0 packets received, 100.0% packet loss The packets are arriving on my ext_if but not into the tunnel. # tcpdump -i em1 icmp tcpdump: listening on em1, link-type EN10MB 23:54:14.180023 193.189.180.129 > fk-in-f147.google.com: icmp: echo request 23:54:15.190011 193.189.180.129 > fk-in-f147.google.com: icmp: echo request 23:54:16.200010 193.189.180.129 > fk-in-f147.google.com: icmp: echo request ping -c2 209.85.129.147 from ext_if is just working fine. # tcpdump -i enc0 tcpdump: WARNING: enc0: no IPv4 address assigned tcpdump: listening on enc0, link-type ENC 00:02:13.582222 (authentic,confidential): SPI 0xceaad5b0: 193.189.180.129 > fk-in-f147.google.com: icmp: echo request (encap) 00:02:13.582255 (authentic,confidential): SPI 0x1bbc2fc6: esp 172.16.16.6 > 172.16.15.6 spi 0xCEAAD5B0 seq 648 len 132 (encap) 00:02:13.618286 (authentic,confidential): SPI 0x3bf920e4: esp 172.16.15.6 > 172.16.16.6 spi 0x127C2A0B seq 639 len 132 (encap) 00:02:13.618304 (authentic,confidential): SPI 0x127c2a0b: fk-in-f147.google.com > 193.189.180.129: icmp: echo reply (encap) 00:02:14.590019 (authentic,confidential): SPI 0xceaad5b0: 193.189.180.129 > fk-in-f147.google.com: icmp: echo request (encap) I am not sure what/(and If) should I set mygate to. I set it to 193.189.180.129, it is the same as ext_if??? Any hint for me? # sysctl net.inet.ip.forwarding net.inet.ip.forwarding=1 # pfctl -e pfctl: pf already enabled pf.conf: ================================ ext_if="em1" int_if="bge1" scrub in nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" nat on $ext_if from $int_if:network to any -> ($ext_if:0) rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021 rdr pass on $ext_if proto tcp from <spamd> to port smtp \ -> 127.0.0.1 port spamd rdr pass on $ext_if proto tcp from !<spamd-white> to port smtp \ -> 127.0.0.1 port spamd anchor "ftp-proxy/*" pass in quick all pass out quick all ================================ Routing tables Internet: Destination Gateway Flags Refs Use Mtu Interface default 193.189.180.129 UGS 2 2709 - em1 10.1.1/24 link#4 UC 2 0 - bge1 127/8 127.0.0.1 UGRS 0 0 33224 lo0 127.0.0.1 127.0.0.1 UH 1 0 33224 lo0 172.16.15.6 172.16.16.5 UGHS 2 583 - bge0 172.16.16.4/30 link#3 UC 1 0 - bge0 172.16.16.5 00:90:69:c2:7c:00 UHLc 1 0 - bge0 193.189.180.128/27 link#2 UC 30 0 - em1 193.189.180.129 00:04:23:d4:fc:17 UHLc 1 0 - lo0 193.189.180.130 00:50:04:68:1d:86 UHLc 0 2 - em1 224/4 127.0.0.1 URS 0 0 33224 lo0 Encap: Source Port Destination Port Proto SA(Address/Proto/Type/Direction) 172.16.15.6/32 0 172.16.16.6/32 0 0 172.16.15.6/esp/use/in 172.16.16.6/32 0 172.16.15.6/32 0 0 172.16.15.6/esp/require/out default 0 193.189.180.128/27 0 0 172.16.15.6/esp/use/in 193.189.180.128/27 0 default 0 0 172.16.15.6/esp/require/out Mitja