Kernel_Killer
November 10th, 2003, 04:10
I've been trying to find a solution to this delimma, but the only thing that holds me back is the incoming source address. What I'm trying to accomplish is the have an IP on another network be aliased as a dummy host from another network. For example, an egress transmission to a VPN host masked as 172.16.0.1 is aliased to 172.16.2.1. The only problem is the ACK transmission. Even though the destination host is recieving the packets, PF is not sending back to 172.16.2.1. This is what I tried:


external = "tun0"
if2 = "dc0"
net = "172.16.0.0/24"

scrub in all fragment reassemble
scrub out all

nat on $external from 172.16.0.0/24 to any -> $external
nat on $external from 172.16.2.0/24 to any -> $external
nat on $if2 from 172.16.2.0/24 to any -> $net
rdr on $if2 from any to 172.16.0.1/32 -> 172.16.2.1/32

[cut]



Of course I can ping the other side from the OpenBSD box, but anything on the other net cannot. Have some more idea, but thought I'd see if anyone had some input. :D

Strog
November 10th, 2003, 13:53
Do you have a coresponding pass rule?

Perhaps with a keep state?

Kernel_Killer
November 10th, 2003, 17:00
Should a make an explict rule for ingress traffic? As you know there really isn't anything there. :D

Kernel_Killer
November 11th, 2003, 02:03
Thanx for the offline idea Strog. For some reason I was debating on doing NAT from the Ciscos, but didn't know my IOS supported static mapping. I'm pinging the VPN as I type. :D