PF NAT and RDR from TUN doesn't work

S

Spod

I am desperately trying to redirect, all http(s) traffic comming from vpn subnet (10.8.0.0/24) , going out trough the NAT on external IP (192.168.1.203), to transparent firewall (squid). The problem is that the packets are not beeing redirected (tgt ip and port beeing rewritten). I just cant figure it out why, can someone please help me? :(

Code: 
ext_if = "re0"
ext_ip = "192.168.1.203"
vpn_if = "tun2"
vpn_net = "10.8.0.0/24"
nat on ! $vpn_if from $vpn_net to any -> $ext_ip
rdr pass inet proto tcp from $ext_ip to any port 80 -> 127.0.0.1 port 3128

As far as i understand this, it should work, every packet going to any ip port 80, after beeing handled by NAT (where its src address replaced with 192.168.1.203), should be redirected to loopback, port 3128. But this just doesnt happen o_O
 
Your rdr rule won't catch the traffic from the VPN tunnel because the traffic has already arrived on the system and is not going to be sent to the external interface because there is no reason to. You have to do a separate rdr on the tun2 interface to redirect the VPN traffic.

Remember that the nat rule never tells the system to send traffic anywhere, it is conditional rule that states "if the traffic is sent out via this interface with this source and this destination addresses, apply this rewriting of the source address in the packets".
 
Hm I am returning to this, I can't figure this one... i think that this is a problem, I have tried to solve it using NAT when request is leaving the 10.8.0.0/24 but to no success.


problem.jpg
 
Last edited by a moderator:
You may need to reload your rules when the VPN is up. The order is rather important. If the VPN comes up after the rules have been loaded it won't properly detect the tunnel interface. And the rules aren't changed dynamically once they're loaded. If you use OpenVPN it should have an option to run a script when the tunnel goes up or down. Use that to reload the firewall rules.

As for FIBs, I don't think you need it. It can all be done without them. If Squid is running on the host there's really no need for outgoing NAT either as Squid will make a new connection from the host itself. You would need the outgoing NAT if you want traffic to pass directly from the tunnel to the outside interface.
 
OK, iI will try with reloading rules, iI hope it will help :(

FIBs: On tun1 iI have a VPN client, connecting to external VPN server and iI don’t want it to mess with my routing tables, that is why fib 1. The squid is accessing the internet exclusively over that VPN. On the other side, on host iI have a running mail and web server which shouldn’t use fib 1 routes. For fib 2, well... maybe it could work without it.
 
Last edited by a moderator:
Hmm... NAT is working flawlessly, the problem actually is in redirection rule, after iI use it, the android client can no longer access the internet so there is something wrong with it.

I have started tcpdump with filter for squid ports and looks like the packet just don’t come to to it, but it does do something as also it doesn’t access the web which normally works without that rule (with NAT). Hm... iI am having problems understanding why would that happen and where does those packets finish...
 
You must log in or register to reply here.
Back
Top