I'm running openvpn in a VNET jail to connect to a commercial VPN provider. This was working fine with processes in the jail all using the VPN. I wanted to setup the jail to act as a router so that more network traffic could potentially be sent down the VPN. For testing, I added a second FIB on the host configured to route via this VNET jail and I'm fairly confident that that is working. What I can't get working is the IPFW NAT setup. As a starting point, I took my working incoming wireguard NAT setup from a different VNET jail. With that setup even local Internet access within the jail gets broken, nevermind the routing not working.
I think I reenabled the packets that need to go to/from the openvpn server. I'm puzzled as to what the in, out and via rule options do for routed packets.
After cutting out extra stuff, my initial NAT rules are as follows:
To restore connectivity to the openvpn server I added a couple of rules:
At this point, the jail can't connect out through the VPN. I can restore this with an early allow rule, something like:
But this is just allowing packets before we get to the NAT rules and it is no surprise that the NAT and routing doesn't work with that rule in place. I don't really see why that should be needed for the VPN traffic initiated from the jail given that other NAT setups work. Any idea how to get this working?
Does the NAT rule rewrite the packet with a new source address and then send it back to the first rule in the firewall or does it continue on with the next rule in sequence? I do have
I think I reenabled the packets that need to go to/from the openvpn server. I'm puzzled as to what the in, out and via rule options do for routed packets.
After cutting out extra stuff, my initial NAT rules are as follows:
00010 allow ip from any to any via lo0
00011 allow ip from any to any via epair1b
00099 reass ip from any to any in
00100 nat 1 ip from any to any in via tun1
00101 check-state :default
01000 nat 1 ip from any to any out via tun1
65500 allow ip from any to anyTo restore connectivity to the openvpn server I added a couple of rules:
00004 allow ip from w.x.y.z to any
00005 allow ip from any to w.x.y.zAt this point, the jail can't connect out through the VPN. I can restore this with an early allow rule, something like:
ipfw add 6 allow ip from any to any via tun1But this is just allowing packets before we get to the NAT rules and it is no surprise that the NAT and routing doesn't work with that rule in place. I don't really see why that should be needed for the VPN traffic initiated from the jail given that other NAT setups work. Any idea how to get this working?
Does the NAT rule rewrite the packet with a new source address and then send it back to the first rule in the firewall or does it continue on with the next rule in sequence? I do have
ipfw disable one_pass in the firewall script. When adding logging, I don't think I've managed to catch a rewritten packet at all. Thanks