Solved PF redirect ports

i have read many post and try it the solutions posted but with no luck,i try it to
nat one port from external ip to anoter port on internal ip, actually the nat from
internal lan works(squid rule)

the interface bce0 is the external and the bce1 is the internal
The internal server ip is 154.2.9.55 , in the interface bce1 i have 2 ip configured
with alias (192.168.1.0/24 and 154.2.0.0/24)
i try to nat from the external ip on port 2698 to 154.2.9.55 port 2697 (ssh)

my pf rules

Code:
puertos="{53,3129,3130,3121,3128,2698,80,2697,2696,22,443}"

nat on bce0 from bce1 to any -> bce0

set skip on lo0


rdr pass  inet proto tcp from 192.168.1.0/24 to any  port 80 -> 127.0.0.1  port 3130
rdr pass  inet proto tcp from 154.2.0.0/16 to any  port 80 -> 127.0.0.1  port 3130

rdr pass on bce0  proto tcp from any to bce0 port 2698 -> 154.2.9.55 port 2697

block in on bce0 all
block in on bce1 all


pass in on bce0 inet proto tcp from any to any port 2696 keep state
pass in on bce0 inet proto tcp from any to 154.2.9.55 port 2697 keep state
pass out on bce0 inet proto tcp from any to any port $puertos keep state
pass out on bce0 inet proto udp from any to any port $puertos


pass in on bce1 inet proto tcp from any to any port $puertos keep state
pass in on bce1 inet proto udp from any to any port $puertos

pass in on bce0 proto icmp
pass in on bce1 proto icmp

any help would be welcome
 
Do you have this in /etc/rc.conf?

Code:
gateway_enable="YES"

Do you have this sysctl turned on in /etc/sysctl.conf?

Code:
net.inet.ip.forwarding=1

These are both required for NAT to function.
 
Try changing this:

Code:
rdr pass on bce0  proto tcp from any to bce0 port 2698 -> 154.2.9.55 port 2697

To this:

Code:
rdr pass on bce0  proto tcp from any to any port 2698 -> 154.2.9.55 port 2697

I know it doesn't make sense but the other two rules are working, right? You said Squid was working and I assume that's running on TCP/80.

If that doesn't work try passing in and out all traffic right below the rdr rules, just to debug the connection.
 
You're trying this from outside your NAT, correct? You're not trying to connect to the external IP from within the LAN? I'm asking because that will not work. The network stack will detect it and it will not pass to the external interface. It's not going to simulate the connection from the external interface just because you specific the external IP.
 
Try changing this:

Code:
rdr pass on bce0  proto tcp from any to bce0 port 2698 -> 154.2.9.55 port 2697

To this:

Code:
rdr pass on bce0  proto tcp from any to any port 2698 -> 154.2.9.55 port 2697

I know it doesn't make sense but the other two rules are working, right? You said Squid was working and I assume that's running on TCP/80.

If that doesn't work try passing in and out all traffic right below the rdr rules, just to debug the connection.

i have already done, with no luck
and yes, i have squid running on port 3130
 
You're trying this from outside your NAT, correct? You're not trying to connect to the external IP from within the LAN? I'm asking because that will not work. The network stack will detect it and it will not pass to the external interface. It's not going to simulate the connection from the external interface just because you specific the external IP.

yes,i try to connect from the outside not
from the inside
 
Try passing all inbound and outbound traffic, just to confirm NAT is actually working. If that does not work we're going to have to play with tcpdump. You could also try adding a log statement to your block rules if you have pflog running.

I don't know what version of pf you are running but you should add keep state to all of your outbound rules.
 
Try passing all inbound and outbound traffic, just to confirm NAT is actually working. If that does not work we're going to have to play with tcpdump. You could also try adding a log statement to your block rules if you have pflog running.

I don't know what version of pf you are running but you should add keep state to all of your outbound rules.

one little example please? i'am a newbie in PF
 
My basic /etc/pf.conf for my Access Point NAT only.

Code:
ext_if="bce0"
int_if="bce1"
set skip on lo
nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)
 
Do you have this in /etc/rc.conf?

Code:
gateway_enable="YES"

Do you have this sysctl turned on in /etc/sysctl.conf?

Code:
net.inet.ip.forwarding=1

These are both required for NAT to function.
Only gateway_enable is required. The sysctl(8) is actually set by this and doesn't need to be explicitly set.
 
Only gateway_enable is required. The sysctl(8) is actually set by this and doesn't need to be explicitly set.

thanks for the tip

so far i got this(i start from zero to do the tests),and made more simple and permissive, i only have one notebook conected to internal LAN with sshd enabled and no firewall
active, i can connect to the notebook ssh from the server itself

Code:
ext_if="bce0"
int_if="bce1"
set skip on lo0
nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)

rdr pass on bce0 proto tcp from any to bce0 port 26982 -> 192.168.1.14 port 22

pass in on bce0 inet proto tcp from any to any  keep state
pass out on bce0 inet proto tcp from any to any  keep state

pass in on bce1 inet proto tcp from any to any  keep state
pass out on bce1 inet proto tcp from any to any  keep state

but from outside noting...
 
Note that you must test this from outside of your network. You cannot connect to the external address from the LAN and expect the redirect to work because this traffic never actually passes bce0 (and therefor the redirect is never triggered). The redirect is only triggered for traffic originating on the internet.


Note that this:
Code:
rdr pass on bce0 proto tcp from any to bce0 port 26982 -> 192.168.1.14 port 22
Should probably be:
Code:
rdr pass on bce0 proto tcp from any to (bce0) port 26982 -> 192.168.1.14 port 22
The difference is small but important.
 
Note that you must test this from outside of your network. You cannot connect to the external address from the LAN and expect the redirect to work because this traffic never actually passes bce0 (and therefor the redirect is never triggered).

yes,i'm tring to connect from the outside, from the 4g in my cell phone..but wait..now is connect! :eek:

i'm so confused..thereis any diference between

service pf restart

and

pfctl -F all -f /root/fir

?, or any delay in the PF or kernel to take the changes?
 
Too soon to sing victory.. i discover this:

in the server that run PF , i had two ip address in one nic (bce1) internal LAN

in the real address NAT works.. but in the alias address not

the ip address are:

"real" address 192.168.1.0/24
alias address 154.2.0.0/16

more in deep, in the internal host that i have ssh,192.168.1.14 i have to add
the default route to 192.168.1.1 (the server that run PF ) , to make it work

so,i have to add as default route the server that runs PF, but the machines
in the lan already have a default route..
 
solved!

i add the following NAT rule to my PF rules:

nat on $int_if inet from ! ($int_if) to any -> ($int_if)
 
Back
Top