November 10th, 2003, 04:10
I've been trying to find a solution to this delimma, but the only thing that holds me back is the incoming source address. What I'm trying to accomplish is the have an IP on another network be aliased as a dummy host from another network. For example, an egress transmission to a VPN host masked as is aliased to The only problem is the ACK transmission. Even though the destination host is recieving the packets, PF is not sending back to This is what I tried:

external = "tun0"
if2 = "dc0"
net = ""

scrub in all fragment reassemble
scrub out all

nat on $external from to any -> $external
nat on $external from to any -> $external
nat on $if2 from to any -> $net
rdr on $if2 from any to ->


Of course I can ping the other side from the OpenBSD box, but anything on the other net cannot. Have some more idea, but thought I'd see if anyone had some input. :D

November 10th, 2003, 13:53
Do you have a coresponding pass rule?

Perhaps with a keep state?

November 10th, 2003, 17:00
Should a make an explict rule for ingress traffic? As you know there really isn't anything there. :D

November 11th, 2003, 02:03
Thanx for the offline idea Strog. For some reason I was debating on doing NAT from the Ciscos, but didn't know my IOS supported static mapping. I'm pinging the VPN as I type. :D