MyLan <=> MyOpenbsd <= IPSec => Fortigate (on a lan behind a nat router) <=> device I want to reach.
That device has a gateway that is not the fortigate so I had to nat the flow on the Fortigate with the IP of the Fortigate on the LAN. That Fortigate is connected exactly like a computer (one arm).
From MyLan I can reach the device.
MyFriend <=> Nat router <=> Internet <=> Nat router <=> MyOpenbsd <= IPSec => Fortigate (on a lan behind a nat router) <=> device I want to reach.
MyFriend arrives with a public IP on MyOpenbsd.
To reach the device I need to nat all flows to 1443 to device:443 (destination nat)
But the device will need to reply and send back the flow to MyFriend, I want to NAT him with the IP of MyOpenbsd (source nat)
As you can see when MyFriend sends its SYN to MyOpenbsd I need to change source/destination IP to natsource/natdestination IP.
I know this setup is f*** up but I don't have hand on many elements.
PS: Since my last mail, I found a workaround which is a SSH tunnel from MyFriend to MyOpenbsd and it worked perfectly. However I'd be interested to know what can be done with PF
Le jeudi 9 mai 2019 à 17:57:18 UTC+2, Chris Cappuccio <[hidden email]> a écrit :
Mik J [[hidden email]] wrote:
> Is it possible to nat both source and destination IP on the same openbsd pf instance aka double nat ?
> If yes do someone has an example of it ?