# ipfw nat openvpn routing problem



## leonetix (Aug 16, 2011)

Hi,

I've been trying to set up some firewall rules to allow all of my traffic to be routed over openvpn.

I'm running FreeBSD 8.2 on my vpn server and it has its own external ip. I can connect to the VPN fine, and I can ping the vpn server 10.0.0.10. However if I try to ping an outside ip. i don't get any replies back.

My current setup:

External interface vlan25: 1.2.3.4
Internal interface re0: 10.0.0.10/24
Openvpn server tun0: 10.8.1.0/24

It seems this is only possible by using a 'nat' feature. I've played with 'natd' and even 'pf' but no luck. After adding the following firewall rules to my ipfw table, now I can see the reply back to the server, but not to the client.

Here is the relevant ipfw rules:


```
CMD="ipfw -q add"

...
ipfw nat 1 config ip 1.2.3.4 same_ports
$CMD 60 allow all from 10.8.1.0/24 to any in recv tun0
$CMD 61 nat 1 all from 10.8.1.0/24 to any out xmit vlan25
$CMD 62 allow all from 1.2.3.4 to any out xmit vlan25
$CMD 63 nat 1 all from any to 1.2.3.4 in recv vlan25 established
$CMD 64 allow all from any to 10.8.1.0/24 in recv vlan25 established
$CMD 65 allow all from any to 10.8.1.0/24 out xmit tun0 established
...
```

Also I was wondering, if it is possible to route the traffic from one port to another on the same machine? Let's say I'm running my vpn server on port 1194, but I would like to reach the same server from port 10000 without running a second vpn server.

Any help is greatly appreciated.
Thanks
~L


----------



## Crest (Aug 17, 2011)

Afaik the reverse traffic has to match the nat rule too.


----------

