PF Opening port to jail fails

[HiddenWolf]

This should be simple, but I'm not seeing it.
I'm trying to open a port in pf. I've set up a test-jail with NGINX.
I can reach it from the LAN using the internal IP.
I can't reach it externally, port check comes back with connection refused.

pf.conf

### pf.conf

### Interfaces
    WAN="wan0"
    LAN="lan0"
    JAIL="lo1"

### Networks
    LOCAL=$LAN:network                                       # Internal IP-range is 10.0.0.X
    JAILS=$JAIL:network                                        # Jails are on 10.0.1.X

### Jails
    NGINX=            "10.0.1.50"                               # Webserver test jail

set loginterface $WAN

### REDIRECTION ###

### Bridge subnet
    nat on $WAN                                from $LOCAL     to any                             -> ($WAN)
    nat on $WAN                                from $JAILS     to any                             -> ($WAN)

### NGINX
    rdr pass on $WAN    proto tcp            from any        to any            port http        -> $NGINX             port http

### DENY any redirection not defined above
    no rdr

### Open the firewall
pass in quick log all
pass out quick log all
[CODE]

[/CODE]

 

[SirDice]

I can reach it from the LAN using the internal IP.
I can't reach it externally, port check comes back with connection refused.

I'm guessing you are behind a router? Did you forward the port there too?

 

[storvi_net]

Are you sure about your interface-names? lan0 / wan0 doesn't look correct.

Regards
Markus

 

[kpa]

Are you sure about your interface-names? lan0 / wan0 doesn't look correct.

Regards
Markus

You can rename them in rc.conf(5) to whatever you like. For example:

ifconfig_em0_name="lan0"

 

[storvi_net]

Thanks for the info - so the question is: Did the OP do this ?

 

[wblock@]

JAIL="lo1"

That looks... a little weird. The formatting on the whole file suggested it was generated by some other program. Please give more information on the version of FreeBSD and whether this is from some type of appliance or firewall generator.

 

[HiddenWolf]

I'd renamed my interfaces in rc.conf to lan0 and wan0 to keep them straight.
Jails are set up as lo1_aliases, so that was in fact correct.

The formatting is odd because I've been grabbing examples from all over the internet, the handbook, calomel.org and a few other places.
It's all hand-written and/or copy pasted. I just started inserting tabs in an effort to maintain some sort of legibility.

The issue turned out to be rather simple. Nothing was hitting my firewall.
I recently switched ISP's, and the new setup uses PPPOE, I should've been setting rules for tun0 rather than igb0/wan0
As soon as things started hitting my log, it was a question of lining up rdr and pass rules.

Issue solved.