pf rdr between networks/interfaces

I am trying to configure pf rdr/nat rules to redirect SSH traffic through a different network-interface.
More explicitly, webserver:2222 --> wireguard-VPN -> server:2222 (and back).

Apologies, I have found some similar solved threads, but unfortunately either answer was not posted, or was unrelated :).

* https://forums.freebsd.org/threads/wireguard-peers-cant-reach-each-other-on-ipv6.75991/
* https://forums.freebsd.org/threads/pf-nat-and-rdr-from-host-to-jail.39560/
* https://forums.freebsd.org/threads/pf-rdr-problem-please-help.6161/
* https://forums.freebsd.org/threads/iptables-dnat-equivalent-in-pf.34725/


Additional Context:
I suspect that I've misunderstood something about pf redirection, and that response packets are getting lost.
No packets are being logged as dropped.

* [x] ping server, via VPN (wireguard connection works)
* [x] incoming packets
* [x] VPN's UDP packets (to/from server)
* [x] SSH's TCP packets (using connection brokered by UDP packets -- to wireguard iface, but they never arrive on dest server)

Configs

Code:
# /etc/pf.conf

# 1. Macros
ext_if="vtnet0"
wg_if="wg0"
public_ip="x.x.x.x"
wg_ip="10.0.0.2"
git_ssh_port="2222"

# 2. Tables
table <ssh_allowlist> const { x.x.x.x, ... }

# 6. Translation
nat on $ext_if inet from !($ext_if) to any -> ($ext_if:0)
rdr pass on $ext_if inet proto tcp \
  from any to ($ext_if) port $git_ssh_port \
  -> $gitbox_ip port $git_ssh_port

# 7. Packet Filtering
block log all
pass out all
pass in on {$wg_if, $ext_if} proto tcp to {$public_ip, $wg_ip} port $git_ssh_port
pass in on $wg_if proto icmp
pass in on $wg_if proto tcp from <ssh_allowlist> to port 22


Code:
# /etc/rc.conf

# ...
gateway_enable="YES"
ipv6_gateway_enable="YES"
sshd_enable="YES"

I was hoping someone might have some suggestions, I've spent a few days tackling this and I'm running out of ideas.
Have a wonderful weekend.
 
Hi.
Have you tried capturing packets on the destination server to see if the server receives redirected SSH packets?

Even if the server can receive the redirected packets, it cannot send the responses back through the right interface (wireguard in this case) if it doesn't have a route to the SSH client via the interface.

More detailed network diagram would help.
Thanks.
 
Back
Top