On Tue, Jun 17, 2003 at 12:08:47PM -0500, J. Buck Caldwell wrote:
> David Maxwell wrote:
> >That looks fine. Although, from your description, I don't see any reason
> >why you couldn't just leave your 192.168.0.0/16 ruleset instead. It's a
> >bit loose and sloppy to do so, but nothing should prevent it from
> >working.
> > 
> My concern with that is that packets headed for, say, 192.168.5.0/24 
> will get mangled or not pass through the VPN tunnel. Of course, I don't 
> know the deep dark inner workings of NAT well enough. I suppose, since 
> the packets will be outbound on gif[x] instead of ex0, they wouldn't get 
> translated, am I right?

Okay, I didn't know that the VPN's terminated on the NetBSD system, so I
was unconcerned about the netmask being NATted - I thought the VPNs
terminated on another system, behind the NAT system.

Nonetheless, my understanding of ipfilter matches yours. I think the
interface will be enough to not NAT your VPN packets. However, since
it's on the same system, I would probably use the more specific rules
you started with.

> >Yes, just replace 0/32 with the A.B.C.D/32 you want in each case, using
> >the seperate mappings you wrote above.
> >
> As I thought. Thank you for replying!

You're welcome :-)

						David