# PF and transparent VPN routing



## plus (Jun 25, 2009)

I'm trying to make it so that the computers on my LAN are able to transparently connect to the computers on my VPN, i.e. without NAT. Presently all computers on the LAN are able to connect (e.g. ping, ssh to) other computers on the VPN, however other computers on the VPN are not able to connect to computers on my LAN, except for the router itself.

My setup is this: FreeBSD box acting as a router running pf, named, bind, ppp (for PPPoE), squid, and cloudvpn (similar to openvpn). The VPN uses the 10.0.0.0/8 IP range, and my LAN uses the 10.0.24.0/24 IP range. The VPN runs on device tap0 which I have bridged to re1 (the LAN-facing physical NIC) with bridge0, and the internet-facing device is tun0 (virtual NIC created by ppp, physical NIC is re0).

Here is my pf.conf trimmed of extraneous commented lines:


```
#--== definitions ==--
ext_if="tun0"
int_if="re1"
vpn_if="tap0"
bge_if="bridge0"
torrent_ports   = "54900:54999"
mpd_ports       = "6600"
skype_ports     = "62092"
vpn_ports	= "15135"

nene            = "10.0.24.1" # nene is the name of the fbsd router
rin             = "10.0.24.2"
nene_jail	= "10.0.24.3"


#--== options ==--
set loginterface $ext_if
scrub on $ext_if

set skip on lo0

scrub in

#--== nat ==--
nat on $ext_if from $int_if to !($bge_if) -> ($ext_if)

#--== port forwarding/redirection ==--
rdr on $ext_if proto { tcp } from any to any port $torrent_ports -> $nene_jail
rdr on $ext_if proto { tcp } from any to any port $mpd_ports  -> $nene_jail
rdr on $ext_if proto { tcp } from any to any port http -> $nene_jail # http connections to my internet-facing IP address should be redirected to the jail
rdr on $ext_if proto { tcp udp } from any to any port $skype_ports -> $rin
rdr on $ext_if proto { tcp } from any to any port ssh -> $nene_jail # ssh connections to my internet-facing IP address should be redirected to the jail


#--== filter rules ==--
block all
pass quick on $int_if keep state
pass quick on $bge_if keep state
pass out quick on $ext_if keep state 

pass in on $ext_if proto { tcp, udp } from any to any port $vpn_ports
pass in on $ext_if proto { tcp, udp } from any to $nene_jail port $torrent_ports keep state
```

(As a side note, an nmap of the public IP address shows all ports filtered.  Not sure if this is expected behavior, as some of the programs which require forwarded ports seem to work, whereas others (such as ssh and http) do not.  Of course this is an unrelated issue.)

Here is my ifconfig:

```
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=389b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC>
	ether 00:24:1d:23:6a:e1
	media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active
re1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=3898<VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC>
	ether 00:1f:d0:81:51:da
	inet 10.0.24.1 netmask 0xffffff00 broadcast 10.0.24.255
	inet 10.0.24.3 netmask 0xffffff00 broadcast 10.0.24.255
	media: Ethernet autoselect (1000baseTX <full-duplex>)
	status: active
fwe0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=8<VLAN_MTU>
	ether 02:ed:81:00:1f:d0
	ch 1 dma -1
fwip0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
	lladdr 0.ed.81.6.0.0.1f.d0.a.2.ff.fe.0.0.0.0
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> metric 0 mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 
	inet6 ::1 prefixlen 128 
	inet 127.0.0.1 netmask 0xff000000 
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	ether 2e:92:b5:4b:75:f5
	inet 10.0.24.1 netmask 0xff000000 broadcast 10.255.255.255
	id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
	maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
	root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
	member: tap0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
	        ifmaxaddr 0 port 10 priority 128 path cost 2000000
	member: re1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
	        ifmaxaddr 0 port 2 priority 128 path cost 20000
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1492
	inet 71.220.15.198 --> 207.225.140.207 netmask 0xffffffff 
	Opened by PID 633
tap0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
	ether 00:bd:e2:eb:08:00
	Opened by PID 1816
```

I admit I'm new to pf, so forgive me if this is just a stupid error on my part.


----------



## SirDice (Jun 25, 2009)

There's no "pass in on $vpn_int ......", hence all traffic coming in on that interface is blocked.


----------



## plus (Jun 25, 2009)

SirDice: Thanks, that did it.  I guess it really was a stupid error on my part.


----------



## SirDice (Jun 25, 2009)

Try to use the log keyword. Then you can see which packets are blocked by tcpdump'ing pflog0.


----------

