[Solved] Need help for pf NAT redrection

hshh · #1 February 22nd, 2012, 09:35

Hi,

I am using PF for NAT. There is a https server in the internal network, IP 172.16.0.250, I need port forward to make any internet user to access it.

With pf rule,

Code:

rdr on $ext_if inet proto tcp from any to ($ext_if) port 443 -> 172.16.0.250

It only works for an internet user outside NAT, not an internal user. The internal users inside NAT access external IP:443 failed, because DNS is set to external IP.

Googled for a long time, it seems a pf NAT redirection problem, but I can't find out any solution in ~~freebsd~~ FreeBSD. Any idea?

OS: FreeBSD 9.0-RELEASE

Code:

## pf.conf
ext_if="bce0"
int_if="bce3"
office="172.16/12"
no nat on $ext_if proto gre from any to any
nat on $ext_if inet from $office to any -> $ext_if
rdr on $ext_if inet proto tcp from any to ($ext_if) port 443 -> 172.16.0.250
pass all

**SirDice** · #2 February 22nd, 2012, 11:32

You can't bounce packets out of the same interface they came in.

Simple solution? Split DNS. Use a local DNS with local addresses on your internal network.

kisscool-fr · #3 February 22nd, 2012, 11:46

Like SirDice said, you can't connect to a server that is in the same netwotk as your client via pf NAT.

There is some explanation here about this problem and some solutions. The cleanest is DNS split but there are others that sould do the job.

hshh · #4 February 22nd, 2012, 11:55

Quote:

Originally Posted by kisscool-fr

Like SirDice said, you can't connect to a server that is in the same netwotk that your client via pf nat.

There is some explanation here about this problem and some solutions. The cleanest is dns split but there are other that sould do the job.

I have read that article, that's for ~~openbsd~~ OpeBSD, not ~~freebsd~~ FreeBSD. There is no syntax about rdr-to, received-on or nat-to in ~~freebsd~~ FreeBSD's pf. The problem also called NAT loopback, there is a solution for other firewalls, I hope ~~freebsd~~ FreeBSD pf can do it.

kisscool-fr · #5 February 22nd, 2012, 13:05

Yeah, that's right. FreeBSD's pf syntax is old style. But ...

You can add a line like this in your /etc/inetd.conf

Code:

5000 stream tcp nowait proxy /usr/bin/nc nc -w 20 172.16.0.250 443

and start inetd.

Then at the end of your /etc/pf.conf replace "pass all" by

Code:

rdr on $int_if from $int_if:network to ($ext_if) port 443 -> 127.0.0.1 port 5000
pass all
pass in quick on $int_if from $int_if:network to ($ext_if) port 443

If I'm not wrong, it should do the trick

hshh · #6 February 22nd, 2012, 16:15

Thanks kisscool-fr.
According to your tips, now I solved this problem. I changed to use net/portfwd to prevent nc fork from inetd always.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
[Solved] NAT in PF	douglasfim	Firewalls	7	March 21st, 2011 02:33
[Solved] PF + 2 Nat	jailed	Firewalls	17	February 7th, 2011 15:19
[Solved] NAT: it doesn't go	queshaw	Networking	10	December 15th, 2010 04:44
ipfw nat tablearg --> ipfw nat 0	sandrey	Firewalls	0	February 6th, 2009 16:54
NAT: no NAT for local traffic	mgp	Networking	7	December 9th, 2008 22:27

The Following User Says Thank You to kisscool-fr For This Useful Post:
hshh (February 22nd, 2012)