Hello everybody!
First of all sorry for my bad English - it's not my native language.
Please help me - I can't solve one problem I'm more than a week. The company I work for has merged with a company in another city. My colleague on the other side and I both used FreeBSD as a border gateway to the Internet, so we used openvpn to connect our branches. Some weeks ago my colleague has quit and gave me all keys to manage his part of network. I'm using nagios+mrtg to monitor some parameters of inner hosts via SNMP.
The first problem is that our networks use the same network addresses: 192.168.0.0/24. The second problem is that he made pf-based firewall while I'm preferring ipfw. I made nat on tun0 without any problem on my side, so clients from "his" network uses "my" resources as they are from "my" network. But now I can't do the same on the other side through pf. I understand, that this is wrong way, and it's better to make different networks, but break working network is the worst idea as it seems to me now. We both have not small network configuration and his part is still not clear for me.
So I tried to insert this rules in pf.conf:
where $ovpn_ip is my gateway IP, 192.168.0.1 is the gateway on the other side and 192.168.0.8 is the host, I'd like to queue via SMNP. But in such way nat rule is not work, only rdr.
If I leaving only nat rule without rdr, "his" gateway sends ARPs to his network searching 192.168.10.8 and returns me "Destination Host Unreachable" and
in pflog.
Can anybody please explain me where I'm mistaken? Why can't I get it to work nat (and rdr)?
Thank you!
First of all sorry for my bad English - it's not my native language.
Please help me - I can't solve one problem I'm more than a week. The company I work for has merged with a company in another city. My colleague on the other side and I both used FreeBSD as a border gateway to the Internet, so we used openvpn to connect our branches. Some weeks ago my colleague has quit and gave me all keys to manage his part of network. I'm using nagios+mrtg to monitor some parameters of inner hosts via SNMP.
The first problem is that our networks use the same network addresses: 192.168.0.0/24. The second problem is that he made pf-based firewall while I'm preferring ipfw. I made nat on tun0 without any problem on my side, so clients from "his" network uses "my" resources as they are from "my" network. But now I can't do the same on the other side through pf. I understand, that this is wrong way, and it's better to make different networks, but break working network is the worst idea as it seems to me now. We both have not small network configuration and his part is still not clear for me.
So I tried to insert this rules in pf.conf:
Code:
rdr on $ovpn_if inet from $ovpn_ip to 192.168.10.8 ->192.168.0.8
nat log on $int_if inet from $ovpn_ip to 192.168.10.8 ->192.168.0.1where $ovpn_ip is my gateway IP, 192.168.0.1 is the gateway on the other side and 192.168.0.8 is the host, I'd like to queue via SMNP. But in such way nat rule is not work, only rdr.
If I leaving only nat rule without rdr, "his" gateway sends ARPs to his network searching 192.168.10.8 and returns me "Destination Host Unreachable" and
Code:
2021-02-18 23:44:56.715614 rule 108..16777216/0(match): nat out on re0: 192.168.0.1 > 192.168.10.8: ICMP echo request, id 58998, seq 0, length 64in pflog.
pfctl -sn shows me that my rule is the last in chain, so according to man pf it should work but it doesn't.Can anybody please explain me where I'm mistaken? Why can't I get it to work nat (and rdr)?
Thank you!