Hi Stuart
now I feel really stupid...
Thank you! Problem solved...
Regards andre
Am 07.08.2010 00:18, schrieb Stuart Henderson:
> "match" isn't an operation by itself. it sets options which "stick" to
> packets and are applied by the _next pass rule that matches that packet_.
>
> if there is no following pass rule to match that packet, nothing happens.
>
>
> On 2010-08-06, Andre Keller <a...@list.ak.cx> wrote:
>
>> Dear list members
>>
>> I've got a small problem with my obenbsd based vpn gateway.
>>
>> There are 2 physical interfaces (vr0 <- wan, vr1 <- lan) and the openvpn
>> tunnel interface (tun0)
>>
>> VPN clients have an ip address assigned out of the range 10.176.3.0/24,
>> LAN clients out of the range 10.176.0.0/23.
>>
>>
>> Now I'd like to NAT the VPN clients to the LAN address of the gateway
>> (10.176.0.1) (There are clients in the network whitout a default gateway
>> and I do not want to add the 10.176.3.0/24 route to every device in the
>> network).
>>
>> I thought that this is an easy task to accomplish but I do not get the
>> nat tun0->vr1 working:
>>
>> My pf configuration is:
>> wan_if = "vr0"
>> lan_if = "vr1"
>> vpn_if = "tun0"
>> lan_net = $lan_if:network
>> vpn_net = "10.176.3.0/24"
>> pass quick on lo0
>> block return log on $wan_if all
>> pass out on $wan_if proto icmp all keep state
>> pass on $wan_if inet proto icmp all icmp-type 8 code 0
>> pass out on $wan_if proto udp all keep state
>> pass in on $wan_if proto udp from any to any port { 53 123 1194 }
>> pass out on $wan_if proto tcp all modulate state
>> pass in on $wan_if proto tcp from any to any port { 22 64321 }
>> match out on $wan_if from ($lan_net) nat-to ($wan_if:0)
>> match out on $lan_if from $vpn_net nat-to ($lan_if:0)
>>
>> tcpdump:
>> tcpdump -i vr1
>> 'icmp'
>> tcpdump: listening on vr1, link-type EN10MB
>> 15:34:30.524786 10.176.3.6 > 10.176.0.4: icmp: echo request (DF)
>> 15:34:31.520010 10.176.3.6 > 10.176.0.4: icmp: echo request (DF)
>> 15:34:32.515313 10.176.3.6 > 10.176.0.4: icmp: echo request (DF)
>>
>>
>> Anyone an idea what i miss?
>>
>> regards andre
