Port forwarding without NAT?

monkeyboy · Nov 19, 2015

I probably have the terminology wrong, but...

I have two FreeBSD machines, A and B, and two networks, M and N.

Machine A is connected to both networks, M and N.
Machine B is only connected to network N.
Although both M and N can get at the Internet, the firewall on N is far more restrictive and will not allow incoming HTTP requests (port 80) from the outside (internal traffic is ok), and probably not other ports as well. I have no control over these firewalls or networks (VLANs).

I want machine B to be a webserver and probably also a TELNET, FTP, etc server accessible from the outside. I have an unused IP address on M (call it X) that can be assigned to A only (which already has another IP address on M, and on N (call them Y and Z)).

So I would like to have machine A pass on all traffic (in/out) on address X (network M) to machine B (on network N). Basically port forward from A to B but A is NOT doing NAT on network N, its just another IP address on N (Z). Machine A also has to handle its own traffic on network M (via address Y).

How can this be done? (thanks). perhaps this is a form of proxy?

Oko · Nov 19, 2015

TELNET and FTP in 2015? I thought I was again 24 year old after reading your post. As of that network gimmicks you want to do it looks to me that you want bi-directional mapping

http://www.openbsd.org/faq/pf/nat.html#binat

but I didn't have a gut to decode your post.

Juha Nurmela · Nov 19, 2015

You might try to rephrase your description

Bend it from iron wire, please, it's said here.

How about giving the extra address to machine B, and using a host route on machine A. Just simply route add extra_address machine_B

Juha

monkeyboy · Nov 19, 2015

Juha Nurmela said:
How about giving the extra address to machine B, and using a host route on machine A.
Just simply route add extra_address machine_B

unfortunately networks M and N are physically separate and machine B does not have and cannot have a connection to network M (and thus cannot make use of the extra address on M).

I suppose to rephrase and simplify, machine A has two address on network M and one on network N while machine B only has an address on N. I want machine A to pass onto machine B all traffic and requests for one of those two addresses on M to machine B via their common connectivity on network N.

The real objective is to have machine B appear as a normal server on the Internet even though only machine A has an actual full connection to the Internet. If I had full control of network N then this would be a standard case of port forwarding into a NAT'd internal network, but I don't and I cannot have machine A NAT'ing onto network N.

Juha Nurmela · Nov 19, 2015

I have little knowledge on networks, so I shouldn't really have butted in. I'll test what I had in mind, and then come back for egg pelting :I

...back. I cannot fully test this, haven't got two public IPs. Locally it works and I see no reason why it wouldn't from the outside as well. On machine B simply ifconfig em0 alias extra_address

Juha

Juha Nurmela · Nov 20, 2015

Doh.... Forgot about arp -s hostname ether_addr pub on machine_A.

Juha

junovitch@ · Nov 20, 2015

monkeyboy, I read this as you are looking for a reverse proxy. For example either net/haproxy or net/relayd could service this by relaying connections from the outside world to the backend server (B) or multiple backend servers as that is a common use case for a reverse proxy.

monkeyboy · Nov 20, 2015

junovitch@ said:
monkeyboy, I read this as you are looking for a reverse proxy. For example either net/haproxy or net/relayd could service this by relaying connections from the outside world to the backend server (B) or multiple backend servers as that is a common use case for a reverse proxy.

I believe you are right and I did start looking at net/relayd. I gather it is not as fully implemented on FreeBSD vs OpenBSD.

On machine B simply ifconfig em0 alias extra_address

I don't see how this can work as "extra_address" is on a totally different network from what machine B is on... no packets for extra_address would ever appear on B's interface.

junovitch@ · Nov 20, 2015

monkeyboy said:
I believe you are right and I did start looking at net/relayd. I gather it is not as fully implemented on FreeBSD vs OpenBSD.

The FreeBSD version does appear to be slightly behind. I don't know if the version difference is anything of consequence. I had one minor issue with net/relayd earlier in the 10.x series when some pf(4) APIs changed and net/relayd would cause a kernel panic when interacting with PF. I switched to net/haproxy afterwards as it does have quite a good security reputation, the docs were clear, and it did everything I needed.

Uniballer · Nov 20, 2015

If this was a corporate network, and you were trying to open up functions that belong on the DMZ to a protected internal network then you might find yourself on the street before your head stopped spinning. In fact, I can't actually think of any situation where I would condone you subverting the security policy of a network that didn't belong to you. There may be very good reasons, of which you are apparently unaware, for the security policy you are clearly trying to bypass.

In my company, if you had a legitimate need for administrative access to the internal network then we would supply a VPN configuration for you to use. And if you had a legitimate need for the public to access a web site, etc. then that could be arranged, too. But there would be no public inbound access from the Internet (even with a password) to the protected internal network.

Juha Nurmela · Nov 20, 2015

What's wrong in my thinking? machine_A has a public ARP for the extra_address and gets packets from the outside. It has a host route and forwards packets to machine_B. machine_B has alias for extra_address and everybody is happy. Aren't they?

Juha