IPFW Port Forwarding Question.

S

SBTech

I have a FreeBSD box running a VM, the VM accepts SSH on 10.10.10.10:22.

I have the FreeBSD box setup with a VPN to an OpenVPN server, the IP address the OpenVPN server assigns on my local network is 10.1.1.102.

I can SSH to 10.1.1.102 and connect to the server.

When I add this rule to the server I expect to be able to SSH to the VM hosted on the box but feel like I'm missing something.
ipfw add 100 fwd 10.10.10.10,22 tcp from any to any 2225 in

with the rule in place, SSH takes a while to time out and without the rule the connection is refused.

If I add this rule I get the expected result of connecting to the FreeBSD box.
ipfw add 100 fwd 127.0.0.1,22 tcp from any to any 2226 in
 
what is the source of ssh connection (ip of the ssh client)
if its a generic internet address you need some kind of nat to be able to get the packet back
if you already have nat on the vm host you better use nat redirect port
 
covacat said:
what is the source of ssh connection (ip of the ssh client)
if its a generic internet address you need some kind of nat to be able to get the packet back
if you already have nat on the vm host you better use nat redirect port
Click to expand...
Based on googling the NAT idea, I tried this with no success
ipfw nat 101 config if bge0 redirect_port tcp 10.10.10.10:22 2225

I also added this with no luck
ipfw add 102 nat 100 ip4 from 10.10.10.0/24 to me in via bge0
 
Alain De Vos said:
Do you use virtualbox or bhyve ? And what network configuration ?
Click to expand...
bhyve, here is an attached picture to visualize the configuration. Everything is working, I'm just trying to use the VPN as a backdoor with some port forward/nat on the Client FreeBSD to access local resources.
 

Attachments

  • FreeBSD NAT issue.jpg
    FreeBSD NAT issue.jpg
    47.1 KB · Views: 109
you probably need
ipfw nat 1 config if bge0 redirect_port tcp 10.10.10.10:22 2225
ipfw add 102 nat 1 ip4 from any to any via bge0

a rule to configure the nat instance
and a rule that passes packets thru the nat instance
you need to pass both packets coming from internal network to alias them and packets coming from external network do dealias them
 
You must log in or register to reply here.
Back
Top