PF PF + NAT + port forwarding

A

artem1d

Hi to all!

I have the router with PF firewall. It has GRE tunnel to another network.
Router1 knows about the network 10.10.10.0/24 and can ping the Client2. But Router2 can't ping hosts behind Router1.

Client1 must connect 10.20.0.1:8080 and got 10.10.10.10:80

___

rdr rule can't do this, since it does not change the sender's address.

Help me please

P.S. sorry for my English
 

Attachments

  • Untitled Diagram.png
    Untitled Diagram.png
    8.8 KB · Views: 376
I suggest taking a closer look at the PF firewall section in the FreeBSD handbook because there are a few things you need to do here.

First look into the nat rule. See also the 'redirecting examples' in pf.conf(5). rdr only changes the destination address (as its name implies it redirects) whereas NAT applies changes to the source address.

The other aspect is that you also need to enable actual forwarding using the net.inet.ip.forwarding option for sysctl(8).

Hope this can help.
 
There's no need for NAT or redirection, you just need to make sure your routing tables on both Router1 and Router2 are correct.
 
ShelLuser, I have "net.inet.ip.forwarding: 1" and gateway works fine. I understand that I must use rdr and nat, but I don't know how =(

SirDice, I need NAT, because source address must be 10.20.0.1 and I need redirect, because port numbers are different.

Now all works on rinetd, but it's not stable on 20Mbps load
 
You can solve this with NAT but there's no need for it.

Client1 uses Router1 as its gateway, Router1 has a route telling it 10.10.10.0/24 can be found behind 10.20.0.2.
Client2 uses Router2 as its gateway, Router2 has a route telling it 192.168.1.0/24 can be found behind 10.20.0.1.

So, all you need are two static routes, one on each router.
 
SirDice, I have no access to Router2 and can't modify routing table on it. Moreover, Router2 can have the network 192.168.0.1 behind itself. And I want to be able to change redirection on my router (router1), without re-configuring clients
 
That's why it's important to have all the information. In that case you do need NAT. To get the complete picture I need a bit more information though, is the Router1 the FreeBSD machine with PF? And Client1 needs to be able to connect to Client2? Will there be any connection from Client2 to Client1?

Because you are forced to use NAT nothing on the right side of the network (Router2 and Client2) will be able to access the left side of the network (Router1 and Client1) directly. From the right side's point of view the entire left side will be hidden behind the NAT.
 
SirDice, router1: FreeBSD 11.1-RELEASE-p10 with PF. Works as Internet gateway. No traffic filtering rules configured (pass in all , pass out all ).
Client1 must connect to in-tunnel IP 10.20.0.1. Not directly to Client2.

SirDice said:
Because you are forced to use NAT nothing on the right side of the network (Router2 and Client2) will be able to access the left side of the network (Router1 and Client1) directly. From the right side's point of view the entire left side will be hidden behind the NAT.
Click to expand...
Exactly!
 
artem1d said:
Client1 must connect to in-tunnel IP 10.20.0.1. Not directly to Client2.
Click to expand...
This doesn't make sense. You typically don't connect to your own end of the tunnel. Connecting to your own end means the packet will never travel through the tunnel. No amount of fiddling with NAT is going to change that. Are you sure you're not supposed to connect to 10.20.0.2?
 
artem1d said:
Client must connect to IP on my side of tunnel.
Click to expand...
This simply cannot be correct.

Client1 sends its packets to Router1, Router1 will look at the destination address and conclude the packet has arrived at its destination. So it's never NAT'ed or routed through the tunnel.

When Client1 connects to Client2, the packets are sent to Router1, Router1 will source NAT the packets (i.e. the source address is changed to 10.20.0.1) and sent to Router2 through the tunnel. Router2 will send the packet to Client2. The response from Client2 will get returned to Router1, Router1 "unNATs" the address and sends it to Client1.

/etc/pf.conf:
Code: 
nat on gre0 from 192.168.1.10 to 10.10.10.10 -> (gre0)
Client1 connects to 10.10.10.10:80 and it should "just work".
 
SirDice, now I have rinetd with config:
Code: 
10.20.0.1 8080   10.10.10.10 80

inside the tunnel I see:
Code: 
08:14:59.490303 IP 10.20.0.1.58132 > 10.10.10.10.80: Flags [S], seq 1417316251, win 65535, options [mss 1436,nop,wscale 6,sackOK,TS val 2584110713 ecr 0], length 0
08:14:59.493426 IP 10.10.10.10.80 > 10.20.0.1.58132: Flags [S.], seq 218496036, ack 1417316252, win 5792, options [mss 1460,sackOK,TS val 490254570 ecr 2584110713,nop,wscale 2], length 0
08:14:59.493447 IP 10.20.0.1.58132 > 10.10.10.10.80: Flags [.], ack 1, win 1032, options [nop,nop,TS val 2584110717 ecr 490254570], length 0
08:14:59.493500 IP 10.20.0.1.58132 > 10.10.10.10.80: Flags [P.], seq 1:345, ack 1, win 1032, options [nop,nop,TS val 2584110717 ecr 490254570], length 344

So i think it's must be possible to make the same config with PF
 
You must log in or register to reply here.
Back
Top