IPFW FreeBSD PPPoe Port Forwarding

[pima]

SRV1:FreeBSD 10.3,IP:10.0.0.1,PPPOe ADSL(ppp),ethernetx1:fxp0 SRV2:FreeBSD 10.3,IP:10.0.0.2

[Goals]

port forwarding: SRV1 [port:8922] ----> SRV2 [port:22] SRV [port:8080] ----> SRV2 [port:80]

I am experimenting with port forwarding and I have spent few weeks to resolve this. After Googling and searching forum , the problem still isn't resolved.

I have tried 3 methods above, but nothing works. Of course I start the service normally. Wondering if it is not possible to make port forwarding from SRV1 (ethernet x 1, ADSL PPPOe) to SRV2? Please give me advice and thanks so much.

[Try1:ipfw]
/etc/ipfw.rules

 #!/bin/sh ipfw -q flush

add="ipfw -q add"
WAN="tun0"
LAN="fxp0"
ipfw -q nat 1 config if $WAN reset\
               redirect_port tcp 10.11.11.2:22 8922\
                redirect_port tcp 10.11.11.2:80 8080

# Allow everything within the LAN
$add 10 allow ip from any to any via $LAN
$add 20 allow ip from any to any via lo0
$add 30 allow ip from any to any via ng*

# Catch spoofing from outside
$add 90 deny ip from any to any not antispoof in

$add 100 nat 1 ip from any to any via $WAN in
$add 101 check-state
$add 200 skipto 10000 tcp from any to any 8922 via $WAN in setup keep-state
$add 203 skipto 10000 tcp from any to any  22 via $WAN in keep-state

# Rules for outgoing traffic - allow everything that is not explicitely denied
$add 1000 deny ip from not me to any 25, 53 via $WAN out

# Allow all other outgoing connections
$add 2000 skipto 10000 tcp from any to any via $WAN out setup keep-state
$add 2010 skipto 10000 udp from any to any via $WAN out keep-state

# Rules for incomming traffic - deny everything that is not explicitely allowed
# vpn mpd5:1723
$add 4999 allow tcp,udp from any to any 47,1723  via $WAN in setup limit src-addr 10
# vpn mpd5:1723
$add 5000 allow tcp from any to any 4, 80, 443, 548,  8822, 8922  via $WAN in setup limit src-addr 10

# Catch tcp/udp packets, but don't touch gre, esp, icmp traffic
$add 9998 deny tcp from any to any via $WAN
$add 9999 deny udp from any to any via $WAN

$add 10000 nat 1 ip from any to any via $WAN out
$add 65534 allow ip from any to any

[Try 2 : pf]
/etc/pf.conf

ext_if = "tun0"

int_if = "fxp0"
ext_ip = "xxx.xxx.xxx.xxx"

# PIMA(DMZ後面的server)
INT_SRV1 = "10.0.0.1"
INT_SRV2 = "10.0.0.2"

# --- ftp services ---
SSH_PORT1 = "{ 8922 }"
WWW_PORT1 = "{ 8080 }"
open_services = "{22, 47, 1723, 54, 80, 443}"

# Port forwarding to internal Server
rdr_port_to_pima =  "{8922 8080}"

#Private IP
priv_nets = "{ 127.0.0.0/8, 10.11.11.0/27}"

# --- hosts with internet access ---
table <allowed> { 127.0.0.0/8, 10.11.11.0/27}

# options
#設定拒絕連線封包的處理方式
set block-policy return
set optimization aggressive
#紀錄 $ext_if
set loginterface $ext_if
set loginterface $int_if
# scrub
scrub in all

#NAT
# --- TRANSLATION (NAT/RDR) section ---
nat on $ext_if from <allowed> to any -> $ext_ip
rdr pass on $ext_if proto tcp from any to $ext_ip port $SSH_PORT1 -> $INT_SRV1 port 22
rdr on $ext_if proto tcp from any to $ext_ip/32 port 21 -> $INT_SRV1 port 21    #outside to FTP

rdr pass on $ext_if proto { tcp udp } from any to $ext_ip port $SSH_PORT1 -> $INT_SRV1 port 22
rdr pass on $ext_if proto { tcp udp } from any to $ext_ip/32 port $WWW_PORT1 -> $INT_SRV1 port 80

antispoof log quick for $ext_if


#open loopback
pass quick on lo0 all

pass in on $int_if inet proto tcp from any to any port $open_services flags S/SA keep state

pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

block drop in quick on $ext_if from <ssh-bruteforce>
block return-icmp(net-unr) in quick on $ext_if proto udp all

[Try 3 : ipnat]
/etc/ipnat.rules

map tun0 10.11.11.0/27 -> 0.0.0.0/32 portmap tcp/udp 8000:65000
map tun0 10.11.11.0/27 -> 0.0.0.0/32

rdr tun0 106.104.138.251/32 port 8922 -> 10.11.11.2 port 22

Zuni

 

[SirDice]

rdr pass on $ext_if proto tcp from any to $ext_ip port $SSH_PORT1 -> $INT_SRV1 port 22

Slightly modified this is all that would be needed:

rdr pass on $ext_if proto tcp from any to ($ext_ip) port $SSH_PORT1 -> $INT_SRV1 port 22

Don't do this:

block return-icmp(net-unr) in quick on $ext_if proto udp all

I know the RFCs state that returning ICMP port unreachable is correct for a closed UDP port but you're setting yourself up for abuse. This is because UDP is really easy to spoof. Just drop the traffic without a response.