I’m having a problem with pf’s rdr and reply-to rules and, being no expert on pf, would appreciate if someone could sanity check my rules.
For reasons I won’t go into, my setup is a little non-standard in terms of the interface types (one is a vlan – but that is effectively little more than an Ethernet interface for pf purpose, whilst the other is a ppp interface via pppd) - but at the end of the day, these are all just IP interfaces.
So I have the following rules…
This results in, for example, an incoming ICMP packet sent to 192.168.77.2 being redirected onto the PPP link correctly with dest IP changed to 192.168.200.2. The reply comes back across PPP, but is never forwarded out on the external interface (vlan44).
Are my rules broken? I am no pf expert.
I also tried the following (based on an idea I found from googling) with the same results:
NOTE: this scenario works fine if (and only if) the initiator of the ping is directly attached to the $ext_if subnet, presumably because the local $ext_if subnet will be present in the routing – so it works without that reply-to line. This also show that I have IP forwarding routing set up correctly (sysctl net.inet.ip.forwarding etc).
For reasons I won’t go into, my setup is a little non-standard in terms of the interface types (one is a vlan – but that is effectively little more than an Ethernet interface for pf purpose, whilst the other is a ppp interface via pppd) - but at the end of the day, these are all just IP interfaces.
So I have the following rules…
Code:
ext_if=”vlan44”
ext_ip=”192.168.77.2”
ext_gw=”192.168.77.111”
ppp_peer=”192.168.200.2”
rdr on $ext_if from any to $ext_ip -> $ppp_peer
pass in quick on $ext_if reply-to ( $ext_if $ext_gw ) from any to $ppp_peer keep stateAre my rules broken? I am no pf expert.
I also tried the following (based on an idea I found from googling) with the same results:
Code:
rdr on $ext_if from any to $ext_ip tag PPPTAG -> $ppp_peer
pass in quick on $ext_if reply-to ( $ext_if $ext_gw ) tagged PPPTAG keep state