NAT for use with OpenVPN
Morgan Wesström
freebsd-database at pp.dyndns.biz
Wed Nov 13 21:13:29 UTC 2019
> |iptables --table nat --append POSTROUTING --out-interface eth0 -j
> MASQUERADE
As I understand iptables, this is the normal/only way to provide NAT for
any subnet.
> ||One of the comments in another tutorial I was reading says that the
> MASQUERADE rule is resource intensive, but if I understand it correctly,
> the only alternative would be to put a specific rule in place for each
> client. I don't think I want to do that
I wonder what their reference was. When you're using iptables you only
have MASQUERADE to chose from. Even my 20 year old Netgear RT-314 did
NAT without problems...
> ||Comments?
Well, I am concerned we couldn't identify what mechanism was responsible
for the already working NAT for 192.168.1.0/24. We wouldn't want to end
up with two competing mechanisms activated at the same time and the rule
you added will provide NAT for 10.8.0.0/24 as well as 192.168.1.0/24 -
the latter which was already working.
There should be init scripts on that router to start all services. Maybe
they can give a clue on what's going on and how Netgear choses to
activate their services.
Whatever you do, just verify that the router's admin interface is not
accessible from the Internet after you've added your rules!
/Morgan
More information about the freebsd-pf
mailing list