# ipfw for gateway to share a openvpn  client



## sac65849 (Jan 19, 2022)

I have an older working instance of ipfw with working VPN tunnel as a client of a commercial OpenVPN service  and all traffic on this machine seems to be successfully going through the tunnel interface tun0.    Is there a resource showing how to configure ipfw to have this machine act as a gateway so that multiple local machines can share the vpn connection.  I tcpdump -i tun0 and I see the tun0 interfaces sees gateway routed traffic destined of external IPs but I do not see any responses.  I think i need a ipfw nat rule but my

ipfw -q add 00100 nat 1 ip from any to any via tun0 out keep-state

Local traffic using the gateway is routed to the gateway external interface.


----------



## SirDice (Jan 20, 2022)

sac65849 said:


> Is there a resource showing how to configure ipfw to have this machine act as a gateway


Routing is not a job for a firewall. A firewall transforms (source and/or destination NAT for example) and filters (allow or block based on certain criteria) packets, it does NOT route packets. Routing is done by the OS. You can enable (IPv4) routing by adding `gateway_enable="YES"` to rc.conf.


----------



## D-FENS (Jan 20, 2022)

sac65849 said:


> Is there a resource showing how to configure ipfw to have this machine act as a gateway so that multiple local machines can share the vpn connection.



The FreeBSD docs contain a pretty good guide on routing here: https://docs.freebsd.org/en/books/handbook/advanced-networking/#network-routing
+1 to SirDice, routing is not configured in the firewall.



sac65849 said:


> I think i need a ipfw nat rule


Indeed, you need NAT.
If you set `gateway_enable="YES"` as described above, the host will forward packets to the VPN network. However, the _Source IP_ field of the packets will contain IP addresses from your local network and the VPN server would not know where to send the response to (it does not know your LAN's IP addresses).
To work around this, when you configure NAT with ipfw, the _Source IP_ will be replaced by your host's VPN client IP address and the VPN server knows that the response should go back to your host. When the response is received, it will again overwrite the relevant IP address in the packet so that the response is ultimately delivered to the machine that sent the initial packet.

Microsoft docs explaining how NAT works: https://docs.microsoft.com/en-us/azure/rtos/netx-duo/netx-duo-nat/chapter1
This is documentation on in-kernel NAT with ipfw: https://docs.freebsd.org/en/books/handbook/firewalls/#in-kernel-nat


----------

