Solved NAT reflection, I think

H

hashbang

Greetings all,

This is probably yet another NAT reflection question, but I can't seem to get this working. I know exactly what I want to do the the src and dest addresses, but I'm not sure how to achieve this with PF rules. I would like to avoid using split horizon DNS.

Basically, I would like to rewrite packets destined for a certain public IP so they instead go internally, and then get rewritten back to look like they are coming from the public IP. Seems like a NAT and RDR rule should be able to take care of this.

Code: 
                                +----------+    ROUTER: 10.0.0.1
                                |PACKET    |   +-------------------------+
                                |S:10.0.0.x|   | NAT                     |   
+----------+   REQ 72.1.1.2:80  |D:72.1.1.2|   | S:10.0.0.x --> 10.0.0.1 |        +-------------+
| CLIENT   |---------------------------------->| D:72.1.1.2 --> 10.0.0.2 |------->| SERVER      |   
| 10.0.0.x |                                   +------------------------ +        | 10.0.0.2:80 |
|          |<------------------------------+---| S:72.1.1.2 <-- 10.0.0.2 |<-------|             |   
+----------+                    |PACKET    |   | D:10.0.0.x <-- 10.0.0.1 |        +-------------+
                                |S:72.1.1.2|   +-------------------------+
                                |D:10.0.0.x|
                                +----------+

Thanks for any help!
 
Thanks for the link. I read through that, but the syntax doesn't work with FreeBSD. How would you translate
Code: 
pass in on $int_if proto tcp from $int_net to egress port 80 rdr-to $server
pass out on $int_if proto tcp to $server port 80 received-on $int_if nat-to $int_if
to nat and rdr rules?
 
rdr pass in on $int_if proto tcp from $int_net to 72.1.1.2 port 80 \
-> 10.0.0.2 port 80

i'm not shure about the Nat part on int_if
 
VladiBG said:
rdr pass in on $int_if proto tcp from $int_net to 72.1.1.2 port 80 \
-> 10.0.0.2 port 80

i'm not shure about the Nat part on int_if
Click to expand...

Unfortunately, that just changes the destination IP, and then routes it back internally. The server will respond to the packet as it it was coming direct from the original client. The problem is the client expects the source address to be 72.1.1.2, but it really is 10.0.0.2, and it just drops the packet. And, since the the server sees 10.0.0.x, the packet will never make it back to the firewall.
 
I've had the same problem on the back-burner for a little while and you got me to go look at it again. I think what needs to be done is add a nat rule on the internal interface to redirect to the internal server on the lan. Something like this:

nat on $IntIf proto tcp from $IntIf:network to ($ExtIf) port 80 -> 10.0.0.2

I'll try it out in a little while - my setup involves using OpenSim in a Grid on FreeBSD 11.1 with 5 servers behind 5 gateways and a lot of reconfiguration to test it all out. I ran into the nat reflection problem and decided to restore my setup and try again some other time.
 
rdr on $int_if proto tcp from $int_net to 72.1.1.2 port 80 \
-> 10.0.0.2
no nat on $int_if proto tcp from $int_if to $int_net
nat on $int_if proto tcp from $int_net to 10.0.0.2 port 80 \
-> $int_if
 
Perfect, that works! I didn't know you could put the rdr rules above nat, which is probably why I couldn't get it to work.

Thanks VladiBG!
 
You must log in or register to reply here.
Back
Top