Re: Replacement for an outbound pf redirect

On Mon, Aug 20, 2012 at 12:36:42PM -0700, Jeff Simmons wrote:
> I have an OpenBSD VPN gateway with a Windows (shudder) server behind it with a 
> private IP address. I need to set up a VPN with a remote company that requires 
> that both our gateway and our host have public IP addresses. I am told the 
> Windows server can only set up IP aliases if they are both on the same subnet.
> 
> Simply, an outbound pf redirect on the internal interface seems to be called 
> for, but the man page says, "If applied outbound, rdr-to to a local IP address 
> is not supported." There are also various dire warnings about trying to do 
> address translation on enc0. I'm probably just missing something simple, but 
> is there an easy way to do this?
> 

The warning is about local IPs. In your case the rdr-to will be to an
external address (the windows box) and so the warning should not apply.
Just make sure that for both IPs (private and public) a valid route
exists.

It is not possible to do an outbound rdr-to a local IP because the return
traffic will bypass some steps and is not properly translated because of
this.

--

-- 
:wq Claudio