Discussion:
nat on command line
Diego A. Gomez
2008-05-09 04:44:49 UTC
Permalink
How I can to write a nat rule in command line?

Thanks!
--
Diego.-
Chris Buechler
2008-05-09 04:46:53 UTC
Permalink
Post by Diego A. Gomez
How I can to write a nat rule in command line?
you don't.

you can manually edit config.xml, add the rule, remove the
config.cache and reload the filter rules but that's not suggested
since you could blow up your config.
Diego A. Gomez
2008-05-09 04:56:07 UTC
Permalink
Post by Chris Buechler
Post by Diego A. Gomez
How I can to write a nat rule in command line?
you don't.
you can manually edit config.xml, add the rule, remove the
config.cache and reload the filter rules but that's not suggested
since you could blow up your config.
I need to write a nat rule for tun0 (VPN) interfase
Can I do it through config.xml?

Thanks!
--
Diego.-
Chris Buechler
2008-05-09 04:58:18 UTC
Permalink
Post by Diego A. Gomez
I need to write a nat rule for tun0 (VPN) interfase
Can I do it through config.xml?
I don't believe that's possible without at least some minor code
changes. 1.3 will allow NAT on OpenVPN interfaces but that's not
available yet.
David Meireles
2008-05-09 08:54:43 UTC
Permalink
Diego, I had the same problem (have a pfSense acting as VPN client, and
from the server I can ping the other side, from the lan I can't).
Here's what you have to do:

First, disable automatic outbound nat rules, or else this will only work
for a few seconds
Second, edit /tmp/rules.debug and add the line "nat on tun0 from
YOUR-LAN-SUBNET/24 to any -> (tun0)" bellow "Outbound nat rules"
Tird, save and run "/sbin/pfctl -f /tmp/rules.debug"

More info at http://cvstrac.pfsense.com/tktview?tn=1466
Post by Diego A. Gomez
Post by Chris Buechler
Post by Diego A. Gomez
How I can to write a nat rule in command line?
you don't.
you can manually edit config.xml, add the rule, remove the
config.cache and reload the filter rules but that's not suggested
since you could blow up your config.
I need to write a nat rule for tun0 (VPN) interfase
Can I do it through config.xml?
Thanks!
Diego A. Gomez
2008-05-09 15:02:39 UTC
Permalink
Diego, I had the same problem (have a pfSense acting as VPN client, and from
the server I can ping the other side, from the lan I can't).
First, disable automatic outbound nat rules, or else this will only work for
a few seconds
Second, edit /tmp/rules.debug and add the line "nat on tun0 from
YOUR-LAN-SUBNET/24 to any -> (tun0)" bellow "Outbound nat rules"
Tird, save and run "/sbin/pfctl -f /tmp/rules.debug"
More info at http://cvstrac.pfsense.com/tktview?tn=1466
This works perfectly!
Thanks!
--
Diego.-
Diego A. Gomez
2008-05-09 19:14:45 UTC
Permalink
Diego, I had the same problem (have a pfSense acting as VPN client, and from
the server I can ping the other side, from the lan I can't).
First, disable automatic outbound nat rules, or else this will only work for
a few seconds
Second, edit /tmp/rules.debug and add the line "nat on tun0 from
YOUR-LAN-SUBNET/24 to any -> (tun0)" bellow "Outbound nat rules"
Tird, save and run "/sbin/pfctl -f /tmp/rules.debug"
More info at http://cvstrac.pfsense.com/tktview?tn=1466
Where I must to write this in order to avoid to lose these changes?

Thanks!
--
Diego.-
David Meireles
2008-05-11 18:17:25 UTC
Permalink
that's the thing, you don't... Each time you change anything in your
rules or reboot the box, this configuration is lost. You could save the
edited rules.debug file and use it whenever you loose this specific rule
Post by Diego A. Gomez
Diego, I had the same problem (have a pfSense acting as VPN client, and from
the server I can ping the other side, from the lan I can't).
First, disable automatic outbound nat rules, or else this will only work for
a few seconds
Second, edit /tmp/rules.debug and add the line "nat on tun0 from
YOUR-LAN-SUBNET/24 to any -> (tun0)" bellow "Outbound nat rules"
Tird, save and run "/sbin/pfctl -f /tmp/rules.debug"
More info at http://cvstrac.pfsense.com/tktview?tn=1466
Where I must to write this in order to avoid to lose these changes?
Thanks!
Continue reading on narkive:
Loading...