It's been a few years since I last used PF to manage my traffic, but my previous experience (2003-2005) was was very good so I thought I'd give it a go.
However, I'm having issues with a rdr rule. I'm trying to forward (rdr) HTTP/HTTPS to an internal machine but I can't quite make it work.
My setup:
If try to connect to my public IP address on port 80 or 443, I simply get no reply. I can use SSH to login to my machine with the same IP from outside of my network so the IP works and at least one of the pass rules works.
If I listen to pflog0 with a log rule for the rdr, I get absolutely nothing (
)
This is my ruleset, everything from the current one.
I'm pretty sure I'm missing something obvious here, but I've tried to read up on how this should be done and have nothing to show for it.
Unrelated but maybe related - I sometimes have issues seeing a samba machine on one subnet from the other. The router is the WINS server which is sent with DHCP to all clients and the samba server on the different subnet is configured to use the router's WINS server as well. Have I missed something with my subnetting?
However, I'm having issues with a rdr rule. I'm trying to forward (rdr) HTTP/HTTPS to an internal machine but I can't quite make it work.
My setup:
- Router (FreeBSD 11) with 4 interfaces, igb0-3, external net from DHCP
- igb0, WAN
- igb1, LAN, 172.31.0.0/24 (switched and with a wireless AP in the network)
- igb2, DMZ, 172.31.1.0/24 (stupid name but here is where the web server lives)
- igb3 is currently unused
If try to connect to my public IP address on port 80 or 443, I simply get no reply. I can use SSH to login to my machine with the same IP from outside of my network so the IP works and at least one of the pass rules works.
If I listen to pflog0 with a log rule for the rdr, I get absolutely nothing (
Code:
tcpdump -i pflog0
This is my ruleset, everything from the current one.
Code:
wan="igb0"
lan="igb1"
dmz="igb2"
tcp = "{ ssh }"
fwd = "{ http, https }"
blf = "172.31.1.254"
# Options
set fingerprints "/etc/pf.os"
set loginterface $wan
set block-policy return
set optimization normal
set limit { states 100000, frags 100000, src-nodes 10000, table-entries 100000 }
set skip on lo0
## Normalisering
scrub in all
## Queuing
## NAT
nat on $wan from {$lan:network, $dmz:network} to any -> ($wan)
rdr pass log on $wan proto tcp from any to any port $fwd -> $blf
antispoof for { $wan, $lan, $dmz }
block all
pass quick on lo0
pass quick from $lan:network to any
pass quick from $dmz:network to any
pass in quick proto tcp from any to any port $tcp keep state
pass in quick proto tcp from any to ($wan) port $fwd
pass out quick on $wan keep state
I'm pretty sure I'm missing something obvious here, but I've tried to read up on how this should be done and have nothing to show for it.
Unrelated but maybe related - I sometimes have issues seeing a samba machine on one subnet from the other. The router is the WINS server which is sent with DHCP to all clients and the samba server on the different subnet is configured to use the router's WINS server as well. Have I missed something with my subnetting?