PF Packet Filter and port redirect

[Anoninus]

Good day! I need to redirect a server rdp port from my local network to the WAN interface. To have access to it via the link example.com:3389. It work's like this:

rdr on $ext_int proto tcp from any to $ext_int port 3389 -> $my_server_ip port 3389

But if I try this link in a local network it does not work.
I will be glad for any advice.

 

[SirDice]

It won't work because the traffic never exits the outside interface. You can't add a redirection on the $int_if either because you cannot bounce traffic out the same interface it came in on.

 

[Anoninus]

Maybe you didn't understand me, because $ext_int is the name external interface. It works from external networks,but it's not reachable from local network. I 've got such rules:

nat on $ext_int from <local_net> to any -> (ext_int)
nat on $lan_int from 192.168.XX.0/24  to $my_rdp_server - > ($lan_int)
rdr on $ext_int proto tcp from any to $ext_int port 3389 -> $my_rdp_server port 3389

What I do wrong? ?

 

[SirDice]

You're not going anything wrong except perhaps misunderstand the issue. The problem you are facing is that example.com resolves to your outside address. When a client on the inside tries to connect to it the traffic never exits $ext_if. Because the traffic never travels past $ext_if the redirection is never triggered.

One solution to this problem is by using so-called "split-horizon" DNS. Then your internal clients resolve example.com to an internal address and external clients resolve the external address.

 

[Anoninus]

Ok. Thanks. I understand you. I alredy read post on http://www.openbsd.org/faq/pf/rdr.html and chose the solution relayd. What do you think about that..??