1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Need help for pf NAT redrection

Discussion in 'Firewalls' started by hshh, Feb 22, 2012.

  1. hshh

    hshh New Member

    Messages:
    18
    Likes Received:
    0
    Hi,

    I am using PF for NAT. There is a https server in the internal network, IP 172.16.0.250, I need port forward to make any internet user to access it.

    With pf rule,
    Code:
    rdr on $ext_if inet proto tcp from any to ($ext_if) port 443 -> 172.16.0.250
    It only works for an internet user outside NAT, not an internal user. The internal users inside NAT access external IP:443 failed, because DNS is set to external IP.

    Googled for a long time, it seems a pf NAT redirection problem, but I can't find out any solution in freebsd FreeBSD. Any idea?

    OS: FreeBSD 9.0-RELEASE
    Code:
    ## pf.conf
    ext_if="bce0"
    int_if="bce3"
    office="172.16/12"
    no nat on $ext_if proto gre from any to any
    nat on $ext_if inet from $office to any -> $ext_if
    rdr on $ext_if inet proto tcp from any to ($ext_if) port 443 -> 172.16.0.250
    pass all
     
  2. SirDice

    SirDice Moderator Staff Member Moderator

    Messages:
    17,418
    Likes Received:
    14
    You can't bounce packets out of the same interface they came in.

    Simple solution? Split DNS. Use a local DNS with local addresses on your internal network.
     
  3. kisscool-fr

    kisscool-fr New Member

    Messages:
    191
    Likes Received:
    0
    Like SirDice said, you can't connect to a server that is in the same netwotk as your client via pf NAT.

    There is some explanation here about this problem and some solutions. The cleanest is DNS split but there are others that sould do the job.
     
  4. hshh

    hshh New Member

    Messages:
    18
    Likes Received:
    0
    I have read that article, that's for openbsd OpeBSD, not freebsd FreeBSD. There is no syntax about rdr-to, received-on or nat-to in freebsd FreeBSD's pf. The problem also called NAT loopback, there is a solution for other firewalls, I hope freebsd FreeBSD pf can do it.
     
  5. kisscool-fr

    kisscool-fr New Member

    Messages:
    191
    Likes Received:
    0
    Yeah, that's right. FreeBSD's pf syntax is old style. But ...

    You can add a line like this in your /etc/inetd.conf

    Code:
    5000 stream tcp nowait proxy /usr/bin/nc nc -w 20 172.16.0.250 443
    and start inetd.

    Then at the end of your /etc/pf.conf replace "pass all" by

    Code:
    rdr on $int_if from $int_if:network to ($ext_if) port 443 -> 127.0.0.1 port 5000
    pass all
    pass in quick on $int_if from $int_if:network to ($ext_if) port 443

    If I'm not wrong, it should do the trick :)
     
  6. hshh

    hshh New Member

    Messages:
    18
    Likes Received:
    0
    Thanks kisscool-fr.
    According to your tips, now I solved this problem. I changed to use net/portfwd to prevent nc fork from inetd always.