[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: NAT *before* routing decision

Concurring with Sir Oliver, I'd like add the following comments/hints:
 - I'm assuming that and are internal interfaces of
the OpenBSD firewalls, and that their external interface addresses are
not shown
 - Also assuming you'd like all machines on 10.1.1.* to access all
machines on 10.2.2.* (subject to firewall filtering on interface "enc0")
 - You might need to put "ifconfig enc0 up" in rc.local (to survive
 - No NAT is needed, just a routing statement (again, in rc.local) of
the form:
    + (on no nat on $ext_if from to
    + (on route add -net EXT_IF_ADDR_OF_10.2_BOX
    + (reverse/commensurate on 
And traffic between the two private nets will flow through the VPN
-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf
Of Oliver Humpage
Sent: Wednesday, October 27, 2004 5:08 PM
To: [email protected]
Subject: Re: NAT *before* routing decision
On 27/10/04 6:58 pm, "Chris Wilson" <[email protected]> wrote:
> Hi all,
> Trying to get my head around mixing NAT and IPSEC on OpenBSD; hoping
> folks can tell me whether I'm crazy :-)
> I've got IPSEC ala:
> --------
> (ie the encryption domain and the vpn endpoints are the same).
> Now I'd like the OpenBSD machine at to be able to be able to
> users on it's local LAN access to through the IPSEC tunnel,
> NAT'ing the source address to
Why do you need to NAT the source packet? If you alter to shove
packet FROM its network TO over IPSec, then as long as the
machine knows that any packet from the network behind is to be
routed over the IPSec tunnel, the packets should flow freely. Unless the
network behind has the same IP addresses as the one behind, in which case do some kind of binat?
Or perhaps I missed the point. I usually do :)
Oliver Humpage
ICT Co-ordinator, Watershed Media Centre -- +44 (0)117 9276444
E-mails received are assumed to be for my attention, to do with as I
No responsibility is accepted if communications are sent to me in error.
This disclaimer has as much legal status as yours.