Iptables to pfsense command line?

  • All,

    I know pfsense does not support ip tables. I've been checking the creation of files in /cf/conf/config.xml since most things seems to be configured there.

    I installed VPNC via command line, and everything works perfectly with regards to auth and all. The pfSense box is able to VPN and all, however I still need to create a NAT rule to allow traffic to be shared to devices on my LAN network.

    I am not getting how to add the rules, and I know what rules I need to add in iptables to make it work (Tested using DD-WRT).

    tundev="ifconfig |grep tun |cut -b 1-4"
    iptables -A FORWARD -o $tundev -j ACCEPT
    iptables -A FORWARD -i $tundev -j ACCEPT
    iptables -t nat -A POSTROUTING -o $tundev -j MASQUERADE

    Can anyone help me getting this resolved. Seems to be very simple, but I've been slamming my head for hours trying to get this to work.

    When running VPNC, it will create a tunnel interface, generally tun0. However this interface never shows up in the GUI. Checking ifconfig and netstat -r, I am able to see the interface and double check the routes in the routing table.

    I thought pfsense would use pf, since when trying to issue commands in ipfw it would give me errors.

    ipfw add divert natd all from any to any via tun0
    error: ipfw: getsockopt(IP_FW_ADD): Protocol not available

    Using pf, I'd use something like this, but could not find the file pf.conf, thus I was looking into /cf/conf/config.xml

    nat on $tundev from any to any -> ($tundev)

    Any ideas anyone?


    David Cabrejos

  • Assign tun0 under Interfaces>assign (you'll have to hack the source to remove filtering of tun so it shows up), then just setup manual outbound NAT under Firewall>NAT, Outbound, to NAT traffic out of that interface.

  • cmb,

    How do I hack the source to remove filtering to display the tun interface?

    I've tried manually adding the interface information on /cf/conf/config.xml, however it would not display the interface on the gui. I did not restart any service, so not sure if changes got applied or if I should change it somewhere else.


  • cmb,

    I rebooted the pfsense box to reload the interfaces configuration change I had made in the /cf/conf/config.xml

    _                <opt1><if>tun0</if>

    After this, pfSense did find the OPT1 interface, however it will display using em0, even though it uses tun0.

    Then I was able to manually create the nat rules to make things work.

    This will be a hassle every time NAT rules would be created automatically. And of course, according to documentation, if using automatic nat, the outbound rules are ignored.

    Is there a way to create 1 NAT rule on the config.xml to avoid using manual NAT?

    At least I was able to get VPNC to work properly. Just not the way I anticipated. :P

  • Actually that was going to be my suggestion instead, glad you figured it out. :)

    You can't add a line to the ruleset outside the GUI without changing the source code which would get overwritten on upgrade, wouldn't exist in your backups, etc. Best to do it as you're doing.

  • All,

    So I was able to fix my issue and bypass using manually created NAT rules. Everything is now done automatically.

    The way I used to add NAT statements was to do the following:

    1. Create a file with the NAT statements you would like to be in place.
            nat on tun0 from to -> (tun0)
            nat on tun0 from to -> (tun0)
            nat on tun0 from to -> (tun0)
            nat on tun0 from to -> (tun0)

    2. Append the information from the file above to the current NAT list:
            pfctl -sn > /usr/local/etc/vpnc/nat.conf
              cat /usr/local/etc/vpnc/custom_nat.conf >> /usr/local/etc/vpnc/nat.conf
              pfctl -Nf /usr/local/etc/vpnc/nat.conf

    3. Check if your NAT statements were applied to the current NAT.
            pfctl -sn

    That's all I did. Now I am able to use VPNC and everything is done automatically without a need to do anything. Of course I wrote other scripts to make sure it's always active and all!

    Hope this helps everyone out there since it took me a while to figure out the locations of NAT statements within pfsense.

    David Cabrejos

Log in to reply