PF redirect only one of the IPs on an interface with pf

[hbauer]

Hi to all,

I have a box where I have 2 IPs on the interface vtnet0

I now want to use pf to redirect the traffic that is address to the second IP on the network to a different server

My current probably wrong approach is:

rdr pass on vtnet0 proto tcp from any to xxx.yyy.ppp.zzz port 443 ->  192.168.1.10 port 443

(IPs and Networks are in variables)

But it seems that this is not working

Any hints or links?
Regards
Hagen

 

[shurik]

Generally speaking your rule is correct. Do you see with tcpdump(1) incoming traffic on vtnet0 interface and redirected on internal? Is a pf box a gateway for 192.168.1.10? What is a value of sysctl net.inet.ip.forwarding?

 

[hbauer]

Hi shurik
forwarding should be enabled

sysctl net.inet.ip.forwarding
net.inet.ip.forwarding: 1

I can see traffic with

tcpdump -i vtnet0 dst host xxx.yyy.ppp.zzz

but

tcpdump -i vtnet0 dst host 192.168.1.10

is silent

 

[covacat]

tcpdump catches packets before nat
so if 192.168.1.x are on a diff iface tcpdump on that

 

[hbauer]

ah. 192.168.1.x is on a wireguard network. When running

tcpdump -i wg0 dst host 192.168.1.10

I can see the traffic. So it seems that the redirect in pf is working but the problem is some where else[/CODE]

 

[covacat]

make sure the vpn remote end will send the packets back and not somewhere else
make sure that the sent back packet is nated to the ip in came on