PF rdr problem

[spaghetti_bolognese]

Hi guys,

I've got a PF rdr problem.

My PF firewall has 2 interface; external which the address has been nat-ed (10.X.X.X) and internal. Within the internal network segment I have 3 servers which has RDP enabled.

Now I have this following syntax on my PF firewall.

rdr on $ext_if proto tcp from any to any port 3389 -> 192.X.X.X

This syntax basically allows my workstation which is on another segment (172.X.X.X) to access 192.X.X.X using RDP through PF firewall external NAT address 10.X.X.X.

However, with that I cannot access the 2 remaining server that is on the internal 192.X.X.X segment.

What I'm trying to achieve is that I can access to all 3 servers on 192.X.X.X segment using RDP without having to enter PF firewall's external NAT address to access any of the 3 server.

I have tried the following syntax

rdr on $ext_if proto tcp from any to any port 3389 -> $int_if

However this does not seem to work.

Any solutions to this? Am I on the right track?

 

[SirDice]

Make sure the other servers have a route to 172.x.x.x.

 

[spaghetti_bolognese]

Hi SirDice,

Thank you for your reply. Yes, all 3 servers have route to 172.X.X.X. I'm able to ping my workstation from any of the 3 server.

To make this easier to understand, I'm going to post up my simple network diagram.

Now Console 1 (my workstation) sits in another network segment which is NAT-ed to 172.X.X.X segment. To access any of my server in the 192.X.X.X segment, it goes through the 172.X.X.X segment network and Firewall 1.

I do not manage the 172.X.X.X network segment and Firewall 1. As such I cannot open any ports or configure any route on Firewall 1. The administrator however assures me that 172.X.X.X is able access PF firewall and that itself should be sufficient.

Currently, the rdr rule

rdr on $ext_if proto tcp from any to any port 3389 -> 192.X.X.X

redirects me one of the server on the 192.X.X.X segment whenever I initiate RDP pointing to PF's external NAT ip which is 10.10.X.X.

What I would like to achieve is that I'm able to access all my 3 servers without having to enter PF firewall's external NAT address. (i.e. When I type 192.168.1.1 on RDP it goes straight to Server 1, etc)

Any idea how I should go about configuring the PF firewall so that Console 1 is able to access all 3 servers independently?

I should also point out that from any of my 3 servers, I'm able to ping to Console 1.

Any advice is greatly appreciated. Thanks in advance.

 

[triumdh]

You write

What I'm trying to achieve is that I can access to all 3 servers on 192.X.X.X segment using RDP without having to enter PF firewall's external NAT address to access any of the 3 server.

For this you would need 3 redirectors on firewall 1 and an additional 3 redirectors on the OpenBSD box.
OR
If you have an RDP client on the servers you could just RDP from server to server without any changes.

 

[SirDice]

The PF firewall NATs so everything is behind one single IP address. The only way to solve it would be to redirect different ports.

rdr on $ext_if proto tcp from any to any port 3389 -> 192.0.0.2 port 3389
rdr on $ext_if proto tcp from any to any port 3390 -> 192.0.0.3 port 3389
rdr on $ext_if proto tcp from any to any port 3391 -> 192.0.0.4 port 3389

Assuming the firewall has 10.10.100.1 as it's external address you connect your TSC to 10.10.100.1:3389, 10.10.100.1:3390 and 10.10.100.1:3391.

 

[pashos]

I have such a problem too, but I've decided to go with rinetd package.