PF FreeBSD and pf on Azure: How to pass source IP?

[server_farmer]

Hey everyone,
I've checked out DutchDaemon's answer here: https://forums.freebsd.org/threads/13715/#post-80232

But have not been able to get it to work in my own environment in Azure. I can pass traffic with no issue using something along these lines:

nat log on $ext inet from !($ext) -> ($ext:0)
nat log on $ext from $localnet to any -> ($ext)
rdr pass log on $ext inet proto tcp from any to $ext port 22 -> $ssh_server

But of course this NAT's the source IP to the FreeBSD internal IP... Anyone have any ideas on where I'm going wrong?

 

[SirDice]

But of course this NAT's the source IP to the FreeBSD internal IP

A redirection (rdr) changes the destination address, not the source address. A NAT (nat) changes the source address. But in your case it only changes outgoing traffic to use the source address of the external interface.

What makes you think it uses the internal address as a source?

 

[server_farmer]

Appreciate the reply, SirDice.
With the above config I'm only getting the internal address of the FreeBSD server in my access logs on the back end.
Full config here, appreciate any feedback considering this was pieced together by a novice and likely contains many errors and inefficiencies.

ext = "hn0"
int = "hn1"
localnet = $int:network
sshserver = "10.0.0.5"
scrub in

nat log on $ext inet from !($ext) -> ($ext:0)
nat log on $ext from $localnet to any -> ($ext)
rdr pass log on $ext inet proto tcp from any to $ext port 22 -> $sshserver

# default block
block in all

# pass 22 to sshserver
pass out log on $int inet proto tcp from any to $sshserver port 22
pass in log on $ext inet proto tcp from any to $sshserver port 22

# admin ssh
pass in log (all) quick proto tcp from any to any port 2020

# closing rules
pass from { lo0, $localnet } to any keep state
pass log on $ext
pass out log all keep state

 

[SirDice]

With the above config I'm only getting the internal address of the FreeBSD server in my access logs on the back end.

How are you testing this? Connections from outside the network will have the correct source IP address.

 

[server_farmer]

Client on open internet ----> Public IP/FreeBSD---FreeBSD/Private IP -----> ssh_server
I need the ssh_server to see the original source IP of the client, not the FreeBSD Private IP which is currently getting logged.

 

[SirDice]

So you connect to the FreeBSD box first, then run a new connection to the server?

 

[server_farmer]

Goal is to have a client connect to the public IP of the FreeBSD server, get passed through to the "real" ssh server on the backend 10.x.x.x network, and the ssh server is able to see and log the original source IP of the client making the connection.

 

[SirDice]

Yes, that's what the redirection rule does. The rules you have should work, connections will show up with the correct source IP address. But if you set up a connection from the FreeBSD box to the server it will always show the FreeBSD box as the source.

 

[server_farmer]

Resolved now, needed some specific routing rules within Azure to route the traffic back out to the Internet.

Appreciate all of the help, SirDice.