Need help for pf NAT redrection

IPFW, PF, IPF (but not limited) related discussion

Need help for pf NAT redrection

Postby hshh » 22 Feb 2012, 08:35

Hi,

I am using PF for NAT. There is a https server in the internal network, IP 172.16.0.250, I need port forward to make any internet user to access it.

With pf rule,
Code: Select all
rdr on $ext_if inet proto tcp from any to ($ext_if) port 443 -> 172.16.0.250
It only works for an internet user outside NAT, not an internal user. The internal users inside NAT access external IP:443 failed, because DNS is set to external IP.

Googled for a long time, it seems a pf NAT redirection problem, but I can't find out any solution in [del]freebsd[/del] FreeBSD. Any idea?

OS: FreeBSD 9.0-RELEASE
Code: Select all
## pf.conf
ext_if="bce0"
int_if="bce3"
office="172.16/12"
no nat on $ext_if proto gre from any to any
nat on $ext_if inet from $office to any -> $ext_if
rdr on $ext_if inet proto tcp from any to ($ext_if) port 443 -> 172.16.0.250
pass all
hshh
Junior Member
 
Posts: 17
Joined: 17 Dec 2009, 08:01

Postby SirDice » 22 Feb 2012, 10:32

You can't bounce packets out of the same interface they came in.

Simple solution? Split DNS. Use a local DNS with local addresses on your internal network.
Senior UNIX Engineer at Unix Support Nederland
Experience is something you don't get until just after you need it.
User avatar
SirDice
Old Fart
 
Posts: 16196
Joined: 17 Nov 2008, 16:50
Location: Rotterdam, Netherlands

Postby kisscool-fr » 22 Feb 2012, 10:46

Like SirDice said, you can't connect to a server that is in the same netwotk as your client via pf NAT.

There is some explanation here about this problem and some solutions. The cleanest is DNS split but there are others that sould do the job.
kisscool-fr
Member
 
Posts: 191
Joined: 05 Feb 2010, 10:22

Postby hshh » 22 Feb 2012, 10:55

kisscool-fr wrote:Like SirDice said, you can't connect to a server that is in the same netwotk that your client via pf nat.

There is some explanation here about this problem and some solutions. The cleanest is dns split but there are other that sould do the job.


I have read that article, that's for [del]openbsd[/del] OpeBSD, not [del]freebsd[/del] FreeBSD. There is no syntax about [FILE]rdr-to[/FILE], [FILE]received-on[/FILE] or [FILE]nat-to[/FILE] in [del]freebsd[/del] FreeBSD's pf. The problem also called NAT loopback, there is a solution for other firewalls, I hope [del]freebsd[/del] FreeBSD pf can do it.
hshh
Junior Member
 
Posts: 17
Joined: 17 Dec 2009, 08:01

Postby kisscool-fr » 22 Feb 2012, 12:05

Yeah, that's right. FreeBSD's pf syntax is old style. But ...

You can add a line like this in your [FILE]/etc/inetd.conf[/FILE]

Code: Select all
5000 stream tcp nowait proxy /usr/bin/nc nc -w 20 172.16.0.250 443


and start [FILE]inetd[/FILE].

Then at the end of your [FILE]/etc/pf.conf[/FILE] replace "pass all" by

Code: Select all
rdr on $int_if from $int_if:network to ($ext_if) port 443 -> 127.0.0.1 port 5000
pass all
pass in quick on $int_if from $int_if:network to ($ext_if) port 443



If I'm not wrong, it should do the trick :)
kisscool-fr
Member
 
Posts: 191
Joined: 05 Feb 2010, 10:22

Postby hshh » 22 Feb 2012, 15:15

Thanks kisscool-fr.
According to your tips, now I solved this problem. I changed to use [port]net/portfwd[/port] to prevent [FILE]nc[/FILE] fork from [FILE]inetd[/FILE] always.
hshh
Junior Member
 
Posts: 17
Joined: 17 Dec 2009, 08:01


Return to Firewalls

Who is online

Users browsing this forum: No registered users and 0 guests