Solved Hairpin NAT Not Working Following Upgrade to 12.2-p6

[Deviant0ne]

I was using pure NAT for NAT reflection/hairpinning in my pf.conf file on my firewall but following the recent update to 12.2-p6 from 12.2-p5, hairpin NAT stopped working. This was the configuration I was using until this morning:

rdr on $All_NAT_IF proto { tcp udp } from any to ($wan_if) port 443 -> <httpsrv>

To get hairpin NAT working again, I ended up needing to configure xinetd + nc to act as a helper proxy (much like pfSense).

I did see that pf.ko was updated in 12.2-p6 but from what I can find, the issue that was being addressed was for net.pf.request_maxcount. Is anyone else having issues?

 

[SirDice]

Note that you can't "bounce" packets out the same interface they came in on.

 

[Deviant0ne]

Note that you can't "bounce" packets out the same interface they came in on.

What’s strange is that my NAT reflection rules were working normally up until the point I upgraded to 12.2-p6. This is what I was basing my configuration on (though I know OpenBSD’s PF is now quite different from FreeBSD’s): https://www.openbsd.org/faq/pf/rdr.html#reflect

 

[SirDice]

     Translation rules apply only to packets that pass through the specified
     interface, and if no interface is specified, translation is applied to
     packets on all interfaces.  For instance, redirecting port 80 on an
     external interface to an internal web server will only work for
     connections originating from the outside.  Connections to the address of
     the external interface from local hosts will not be redirected, since
     such packets do not actually pass through the external interface.
     Redirections cannot reflect packets back through the interface they
     arrive on, they can only be redirected to hosts connected to different
     interfaces or to the firewall itself.

From pf.conf(5).

 

[Deviant0ne]

It must have just been a fluke that my hairpin NAT rules were working in the first place, I will continue to use the xinetd + nc proxy method.

 

[SirDice]

One way to solve this I more or less found by accident (but in hind-sight made sense), I have net/haproxy running on the firewall host. I use it so I can redirect to different websites running on my home network on a single IP address. Because this is a proxy, connections coming from inside the network actually work too.

 

[deadbeef2000]

To follow up with this question in a little different environment:

If I'd setup one external and multiple internal interfaces, rdr would work from one internal interfaces to another (e.g. INT_IF_2 to INT_IF_1) but not on the same interface (lets say the web server needs to talk to itself and we have that example from you SirDice). Am I correct in that assumption?

And should I have created another post for that question or how do I go about posting in solved (and old) posts?