# Double port forwarding and OpenVPN



## mbr661 (Jan 14, 2010)

Hello all.

I need a little help with double port forwarding using pf, and OpenVPN (bridged).

Here is my set up:

Modem ext_if--public IP
Modem int_if--bridged, non firewalled.

Router ext_if--same public IP as above
Router firewall w/port forwarding (port 1194 to 192.168.20.100)
Router int_if--192.168.20.1

	subnet 192.168.20.0

FreeBSD ext_if--static 192.168.20.100
pf w/out ruleset
FreeBSD inf_if--static 192.168.1.150

	subnet 192.168.1.0


What I want to do is reach my internal network (192.168.1.0) over OpenVPN, in bridged mode.

Currently, Router is port forwarding 1194 to FreeBSD ext_if, and OpenVPN is set up to bridge FreeBSD ext_if and Tap0. So, I can VPN to the 192.168.20.0 subnet, but not to the internal network.


I'm new to PF and only getting familiar with FreeBSD.

Question:
What rule do I need to port forward 1194 from FreeBSD ext_if to
FreeBSD int_if? both ways?

I figure if I do that, and then bridge FreeBSD int_if and Tap0, I will be able to reach my internal network over the VPN.

Suggestions will be appreciated if there is an easier way to accomplish this.

Thanks in advance!!


My system:
7.1-RELEASE-p8 FreeBSD 7.1-RELEASE-p8 #0: Fri Oct  2 07:10:41 UTC 2009 root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  i386

openvpn-2.0.6_9


/etc/rc.conf in FreeBSD


```
# -- sysinstall generated deltas -- # Tue May  5 14:16:40 2009
# Created: Tue May  5 14:16:40 2009
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
defaultrouter="192.168.20.1"
gateway_enable="YES"
hostname="fbsd.mydomain.com"
ifconfig_rl0="inet 192.168.20.100  netmask 255.255.255.0"
ifconfig_rl1="inet 192.168.1.150 netmask 255.255.255.0"
inetd_enable="NO"
linux_enable="YES"
sshd_enable="NO"
openssh_enable="YES"

pf_enable="YES"
pflog_enable="YES"

openvpn_enable="YES"
cloned_interfaces="bridge0 tap0"
ifconfig_bridge0="addm rl0 addm tap0"
```


----------



## SirDice (Jan 14, 2010)

There's no need to forward anything on the freebsd box. There's no NAT, just plain routing.

Don't bridge the tap0 vpn and the external interface. Just let it terminate on the fbsd host. Use a seperate subnet for the vpn.


----------



## mbr661 (Jan 15, 2010)

Thank you SirDice for your advice, but I don't have a choice right now. Our Windows/AD network is behind FreeBSD and that's where we are running some apps that need access from the Internet. I need to provide access to them, via the VPN, as soon as possible.

If you were in this situation, how would you accomplish this?

Thanks in advance!


----------



## SirDice (Jan 15, 2010)

mbr661 said:
			
		

> If you were in this situation, how would you accomplish this?


Exactly as I've stated in my previous message.


----------



## mbr661 (Jan 15, 2010)

I think I know what the confusion is. I still want to terminate the VPN connection on fbsd, but instead of bridging to ext_if, I want to bridge to int_if.

Int_if is in the same subnet as the Windows machines. That will work for me.

Having said this, do you still think I don't have to forward port 1194 thru ext_if in fbds?

Are there any rules in pf that I need to accomplish this?

Thanks for your patience and help.

mbr661


----------

