Need help for pf NAT redrection

Hi,

I am using PF for NAT. There is a https server in the internal network, IP 172.16.0.250, I need port forward to make any internet user to access it.

With pf rule,
Code:
rdr on $ext_if inet proto tcp from any to ($ext_if) port 443 -> 172.16.0.250
It only works for an internet user outside NAT, not an internal user. The internal users inside NAT access external IP:443 failed, because DNS is set to external IP.

Googled for a long time, it seems a pf NAT redirection problem, but I can't find out any solution in freebsd FreeBSD. Any idea?

OS: FreeBSD 9.0-RELEASE
Code:
## pf.conf
ext_if="bce0"
int_if="bce3"
office="172.16/12"
no nat on $ext_if proto gre from any to any
nat on $ext_if inet from $office to any -> $ext_if
rdr on $ext_if inet proto tcp from any to ($ext_if) port 443 -> 172.16.0.250
pass all
 
You can't bounce packets out of the same interface they came in.

Simple solution? Split DNS. Use a local DNS with local addresses on your internal network.
 
Like SirDice said, you can't connect to a server that is in the same netwotk as your client via pf NAT.

There is some explanation here about this problem and some solutions. The cleanest is DNS split but there are others that sould do the job.
 
kisscool-fr said:
Like SirDice said, you can't connect to a server that is in the same netwotk that your client via pf nat.

There is some explanation here about this problem and some solutions. The cleanest is dns split but there are other that sould do the job.

I have read that article, that's for openbsd OpeBSD, not freebsd FreeBSD. There is no syntax about rdr-to, received-on or nat-to in freebsd FreeBSD's pf. The problem also called NAT loopback, there is a solution for other firewalls, I hope freebsd FreeBSD pf can do it.
 
Yeah, that's right. FreeBSD's pf syntax is old style. But ...

You can add a line like this in your /etc/inetd.conf

Code:
5000 stream tcp nowait proxy /usr/bin/nc nc -w 20 172.16.0.250 443

and start inetd.

Then at the end of your /etc/pf.conf replace "pass all" by

Code:
rdr on $int_if from $int_if:network to ($ext_if) port 443 -> 127.0.0.1 port 5000
pass all
pass in quick on $int_if from $int_if:network to ($ext_if) port 443


If I'm not wrong, it should do the trick :)
 
Back
Top