I am trying to configure pf rdr/nat rules to redirect SSH traffic through a different network-interface.
More explicitly,
Apologies, I have found some similar solved threads, but unfortunately either answer was not posted, or was unrelated
.
* https://forums.freebsd.org/threads/wireguard-peers-cant-reach-each-other-on-ipv6.75991/
* https://forums.freebsd.org/threads/pf-nat-and-rdr-from-host-to-jail.39560/
* https://forums.freebsd.org/threads/pf-rdr-problem-please-help.6161/
* https://forums.freebsd.org/threads/iptables-dnat-equivalent-in-pf.34725/
Additional Context:
I suspect that I've misunderstood something about pf redirection, and that response packets are getting lost.
No packets are being logged as dropped.
* [x] ping server, via VPN (wireguard connection works)
* [x] incoming packets
* [x] VPN's UDP packets (to/from server)
* [x] SSH's TCP packets (using connection brokered by UDP packets -- to wireguard iface, but they never arrive on dest server)
Configs
I was hoping someone might have some suggestions, I've spent a few days tackling this and I'm running out of ideas.
Have a wonderful weekend.
More explicitly,
webserver:2222 --> wireguard-VPN -> server:2222 (and back).Apologies, I have found some similar solved threads, but unfortunately either answer was not posted, or was unrelated
.* https://forums.freebsd.org/threads/wireguard-peers-cant-reach-each-other-on-ipv6.75991/
* https://forums.freebsd.org/threads/pf-nat-and-rdr-from-host-to-jail.39560/
* https://forums.freebsd.org/threads/pf-rdr-problem-please-help.6161/
* https://forums.freebsd.org/threads/iptables-dnat-equivalent-in-pf.34725/
Additional Context:
I suspect that I've misunderstood something about pf redirection, and that response packets are getting lost.
No packets are being logged as dropped.
* [x] ping server, via VPN (wireguard connection works)
* [x] incoming packets
* [x] VPN's UDP packets (to/from server)
* [x] SSH's TCP packets (using connection brokered by UDP packets -- to wireguard iface, but they never arrive on dest server)
Configs
Code:
# /etc/pf.conf
# 1. Macros
ext_if="vtnet0"
wg_if="wg0"
public_ip="x.x.x.x"
wg_ip="10.0.0.2"
git_ssh_port="2222"
# 2. Tables
table <ssh_allowlist> const { x.x.x.x, ... }
# 6. Translation
nat on $ext_if inet from !($ext_if) to any -> ($ext_if:0)
rdr pass on $ext_if inet proto tcp \
from any to ($ext_if) port $git_ssh_port \
-> $gitbox_ip port $git_ssh_port
# 7. Packet Filtering
block log all
pass out all
pass in on {$wg_if, $ext_if} proto tcp to {$public_ip, $wg_ip} port $git_ssh_port
pass in on $wg_if proto icmp
pass in on $wg_if proto tcp from <ssh_allowlist> to port 22
Code:
# /etc/rc.conf
# ...
gateway_enable="YES"
ipv6_gateway_enable="YES"
sshd_enable="YES"I was hoping someone might have some suggestions, I've spent a few days tackling this and I'm running out of ideas.
Have a wonderful weekend.
