Solved ipfw rules and NAT on a not yet existing interface

[D-FENS]

I am having a little trouble understanding how does IPFW handle non-existing interfaces. It seems that firewall rules can happily accept non-existing interface names, however in-kernel NAT does not.
Also, what happens in runtime is not completely clear to me? I guess, these rules are never matched to a packet as long as the interface does not exist, right?
Can someone explain why rules accept non-existing interface names but NAT does not?
Here is an example. I intend to create an OpenVPN connection and a tun0 interface after the firewall was loaded:

/sbin/ipfw -q nat 1 config if tun0 log reset same_ports unreg_only redirect_port tcp 10.0.21.20:443 9443
ipfw: unknown interface name tun0
/sbin/ipfw -q add 14002 nat 1 tcp from any to me 9443 recv tun0
/sbin/ipfw -q add 14012 nat 1 tcp from 10.0.21.20 443 to any xmit tun0

Normally I have my firewall and openvpn client enabled as services:

firewall_enable: YES
firewall_logging: YES
firewall_nat_enable: YES
firewall_script: /usr/local/etc/ipfw/ipfw.rules
openvpn_configfile: /usr/local/etc/openvpn/openvpn.conf
openvpn_dir: /usr/local/etc/openvpn
openvpn_enable: YES
openvpn_if: tun

My intention is:

1. On startup, open an SSH connection to a remote server and open a tunnel inside that connection.
2. On startup start an OpenVPN client and connect to a remote OpenVPN server through the SSH tunnel above --> this creates a tun0 interface.
3. Configure my box to act as a firewall+NAT via the tun0 interface.

I have been able to achieve this by manually issuing ssh, openvpn and ipfw commands, now I want to automate it on box startup.
Any suggestions?

For me, the easiest way would be to configure the firewall and then do my magic and connections. However, if this is not possible, I would have to delay the NAT configuration for after creating the VPN connection. Any smarter ways?

 

[SirDice]

Any suggestions?

OpenVPN can start a script when the connection goes up or down. Use that to dynamically add/remove the rules.

 

[yjqg6666]

I have faced the same situation/issue. I wanna nat vm-bhyve-created bridge, but the interface is created after pf running. My current workaround is creating two rule files, one for jail and the other is jail+vm.

 

[D-FENS]

Thanks all, this makes sense.
My alternative workaround be to just reload the firewall after tun0 is up but I would hate to see the error messages on each startup.