NAT works but port redirection does not work on IPNAT and PF

Zeno Lee zeno_lee at hotmail.com
Wed Dec 15 10:11:01 PST 2004 

It seems I've somehow didn't set up my freebsd gateway properly.  I am 
trying to use my FreeBSD server as a NAT with port redirection.  NAT works 
fine, but when I use port redirection to redirect requests from my external 
interface em0 160.79.174.98:80 the request makes it to my internal web 
server 192.168.1.54 but the response is not being returned back out to the 
requester.  I've tried both PF and IPFILTER and they both have the same 
issue.

Here is my setup:

                     Internet ----- 24.215.185.142 (External web requester)
                        |
                        |
                       em0 (160.79.174.98/29)
                FreeBSD 5.3 STABLE (PF, ALTQ compiled, gateway_enabled)
                       em1 (192.168.1.55/24)
                        |
                        |
                       LAN -- Web Server (192.168.1.54)
                        |
                        |---- NAT client (192.168.1.100) access internet 
fine

I've done the dumps and

# tcpdump -n -i em0 dst host 160.79.174.98 and tcp dst port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes
12:51:57.118746 IP 24.215.185.142.1343 > 160.79.174.98.80: S 
2887552006:2887552006(0) win 65535 <mss 1460,nop,nop,sackOK>
12:52:00.153017 IP 24.215.185.142.1343 > 160.79.174.98.80: S 
2887552006:2887552006(0) win 65535 <mss 1460,nop,nop,sackOK>
12:52:06.167832 IP 24.215.185.142.1343 > 160.79.174.98.80: S 
2887552006:2887552006(0) win 65535 <mss 1460,nop,nop,sackOK>

#  tcpdump -n -i em1 host 192.168.1.54
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em1, link-type EN10MB (Ethernet), capture size 96 bytes
12:51:57.118772 IP 24.215.185.142.1343 > 192.168.1.54.80: S 
2887552006:2887552006(0) win 65535 <mss 1460,nop,nop,sackOK>
12:51:57.118967 arp who-has 192.168.1.1 tell 192.168.1.54
12:52:00.153045 IP 24.215.185.142.1343 > 192.168.1.54.80: S 
2887552006:2887552006(0) win 65535 <mss 1460,nop,nop,sackOK>
12:52:06.167855 IP 24.215.185.142.1343 > 192.168.1.54.80: S 
2887552006:2887552006(0) win 65535 <mss 1460,nop,nop,sackOK>



I don't think my port forwarding setup in IPFILTER nor PF are the cause but 
I've listed it just in case

/etc/pf.conf
nat on em0 from em1:network to any -> (em0)
rdr on em0 proto tcp from any to em0 port 80 -> 192.168.1.54 port 80


My IPFILTER rule is just as simple
/etc/ipnat.conf
map em0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp/udp auto
rdr em0 0.0.0.0/0 port 80 -> 192.168.1.54 port 80

# ipnat -l
List of active MAP/Redirect filters:
rdr em0 0.0.0.0/0 port 80 -> 192.168.1.54 port 80 tcp
map em0 192.168.0.0/16 -> 0.0.0.0/32 portmap tcp/udp auto

List of active sessions:
RDR 192.168.1.54    80    <- -> 160.79.174.98   80    [24.215.185.142 1332]

More information about the freebsd-net mailing list