pf rdr rule on gateway with multiple interfaces

[laktech]

Gosh, had a hard time coming up w/ the subject line for my question.

I have a server that's a gateway and is routing wireguard traffic on the wg0 interface and has a nic, lets call it ena0 for the intranet. My current pf configuratino allows for my wireguard clients to have access to the intranet through nat rules on this gateway.

However, this same gateway also runs various network services on certain ports. I have some rdr rules configured such that traffic coming in on the ena0 interface can be redirected to these services. In addition, it seems that to make these services available for clients coming through the wg0 interface, I have to have an extra rdr rule for that interface as well. Can I avoid this? Can the wg0 packets be routed such that pf running on this gateway server sees the packet arriving on the en0 interface and thus the single rdr rule on ena0 would apply? To be clear, the clients on the wg0 interfaces are using the IP address associated with the ena0 interface on the gateway.

It seems that without the rdr rule on the wg0 interface, these packets are not being redirected.

I can provide pf.conf or whatever configs to help clarify my configuration. Let me know if more details are needed.

Thanks!

 

[Lamia]

You want to provide more info? You likely need some more redirection rules if traffic has to traverse varying networks/subnets in the host, particularly when you have multiple interfaces. Your rc.conf would also help. Should you setup a route with those interfaces as members, you may not need a redirection.

 

[laktech]

As I was describing to you my network setup, I discovered another symptom that maybe simplifies what I'm having troubles with. My gateway machine (10.120.1.105) is running a jail service on lo0 127.1.0.7 port 8011. My current rules,

rdr pass on ena0 inet proto tcp from any to any port = 8011 -> 127.1.0.7 port 8011

and routing table,

Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            10.120.1.1         UGS        ena0
10.1.0.0/16        link#4             US          wg0
10.1.1.9           link#4             UHS         lo0
10.120.1.0/24      link#1             U          ena0
10.120.1.105       link#1             UHS         lo0
127.1.0.7          link#5             UH     bastille

and the bastille0 nic,

bastille0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 fe80::1%bastille0 prefixlen 64 scopeid 0x5
        inet 127.1.0.7 netmask 0xffffffff
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

(side question, how come the routing table reference "bastille" but the nic is actually called bastille0?)

allow me to connect to this jail only through the 127.1.0.7 IP from the gateway.

telnet 127.1.0.7 8011 works fine; however
telnet 10.120.1.105 8011 does not work.

However, other machines on the network are able to connect using 10.120.1.105 8011, and I'm guessing because these packets come in on the ena0 interface and thus the rdr rule applies.

At the top of my pf.conf I have,

set skip on lo0

which I'm guessing has to be removed. Then, the following rule allows me to access the jail through 10.120.1.105 IP from the gateway,

rdr pass on {lo0,ena0} inet proto tcp from any to any port = 8011 -> 127.1.0.7 port 8011

It seems that I have to specify every interface in the rdr rule. Is it possible to simplify this?

During this analysis, I was able to resolve my problem. It looks like bastille uses the variable "ext_if" to setup the rdr rules. In my pf.conf, I did the following,

ext_if = "{ lo0, wg0, ena0 }"
ext_if_only = "ena0"

and now when bastille starts a jail, it creates these rdr rules,

rdr pass on lo0 inet proto tcp from any to any port = 8011 -> 127.1.0.7 port 8011
rdr pass on wg0 inet proto tcp from any to any port = 8011 -> 127.1.0.7 port 8011
rdr pass on ena0 inet proto tcp from any to any port = 8011 -> 127.1.0.7 port 8011

and I'm able to access the jail from all the interfaces. Curious if there is an alternative approach. Kinda bummed I have to remove "set skip on lo0". Would I be able to create another network alias, and setup a route for 10.120.1.105 through that alias instead of lo0 so I can leave "set skip on lo0"?