# Forward VPN gateway to another LAN machine



## free-and-bsd (Apr 2, 2020)

Here is one little problem I'm trying to solve.

I have a Win 10 guest in bhyve using a passthru NIC, so it uses a legal local address 192.168.0.9/24 on my LAN. My FreeBSD host has another address on the same LAN -- 192.168.0.5/24.

Now my idea is to use the FreeBSD host machine as gateway for that bhyve guest so that it could also use my dynamic VPN connection.
Now the first part works all right: Win 10 host with LAN IP _does_ use my FreeBSD host as its default route.
To that end, I have in /etc/rc.conf:

```
gateway_enabled="YES
defaultrouter="192.168.0.1"
```
And also the needed rules in /etc/pf.conf:

```
pass in quick on $out_if from 192.168.0.9 to any keep state
```
And the sysctl for forwarding ipv4 is set to enabled. So, at this point everything works fine: Win 10 gets internet connection using 192.168.0.5 as its default route.
(And I must also add: FreeBSD host is not the LAN's gateway as it doesn't have one NIC for LAN and another for another LAN. It's a normal machine on the LAN using the LAN's router connected to ISP as its gateway.)

PROBLEM:
When I bring up my VPN connection on FreeBSD host, that creates default route, it doesn't become available to Win 10, for which this machine serves as gateway.
What happens, though, is that when VPN is up and the FreeBSD host uses it as default route, Win 10 loses internet connectivity.
At the same time, network connectivity is here, : Win 10 can ping the FreeBSD host's IP (192.168.0.5, that serves as default gateway), it can even ping the VPN default route gateway and remote DNS server 8.8.8.8!
Just the system, for some obscure reason, can't use it for default gateway.
Windows ipconfig command shows that the FreeBSD host's IP is used as default gateway. So I conclude that somehow the FreeBSD host side doesn't provide this VPN as default gateway for the Win 10 bhyve guest while the route itself IS available on the Win 10 machine. And since manipulating default route on Windows is needlessly complicated, I want to do it all on the FreeBSD side.

STEPS I"VE TRIED:
Given that Win 10 guest has its legal LAN address same as any other machine on the LAN, the goal is
(1) to make it use FreeBSD host's NIC for default route (that works already) and
(2) when FreeBSD host's default route changes make it available to the client (192.168.0.5).

So I added a PF anchor for that VPN connection with the following rules and redirects:

```
nat on tun1 from 192.168.8.0/24 to any -> (tun1)
nat on igb2 from any to 192.168.8.0/24 -> (igb2)
rdr on igb2 from 192.168.8.9 to any-> tun1
pass quick on tun1 all
```
EDIT: tun1 becomes system's default gateway upon VPN up. On the second thought, I disabled the nat part here as it doesn't seem to help. Or does it?

Diagnostics show: all the nat & rdr rules for VPN are loaded, LAN client can ping both VPN gateway address and any address on the internet. But the client can't use the VPN gateway.
Now the line gateway_enable in rc.conf seems to be necessary if I want to forward packets from my igb2 LAN interface to tun1 VPN interface. But I can't imagine what else I can do to let another LAN machine use that.


----------



## free-and-bsd (Apr 2, 2020)

I can add that trying to boot the VM after my VPN route is up results in Win 10 having no internet access. So somehow the problem is on the FreeBSD side.


----------

