gateway machine port redirect question
Warren Block
wblock at wonkity.com
Mon Feb 22 02:25:14 UTC 2016
On Sun, 21 Feb 2016, Julian Elischer wrote:
> On 20/02/2016 6:22 PM, Valeri Galtsev wrote:
>> Dear Experts,
>>
>> I'm one of Linux refugees who several years ago migrated majority of
>> servers from Linux to FreeBSD and is happy since. When recently I needed
>> to set up gateway (Firewall + NAT) machine, I set up FreeBSD 10.2 on it,
>> used ipwf and natd, and all works well, machines behind gateway on LAN can
>> happily reach real network. I hit one snag later though: When I tried to
>> redirect TCP traffic on some port to machine on internal private network
>> behind gateway, whatever I do doesn't work.
>>
>> Could somebody point to simple example (it doesn't matter which components
>> are involved, I don't feel married to ipfw and natd) for FreeBSD 10.2 that
>> makes the machine gateway, and one of the ports of traffic coming from
>> public network is redirected to machine on private network behind gateway.
>> Something I can reproduce that works, which I then will gradually convert
>> into what I need. Other way around: adding redirection to already working
>> (and a bit sophisticated) gateway I set up appears to be beyond my mental
>> abilities: a couple of weeks of frustration confirm it to me.
>>
>> I really do not want to go back to Linux to do this, even though I feel I
>> can do it based on Linux in a course of an hour or two - I've set up a few
>> of them in the past using Linux, that's the longest it took me in my
>> recollection.
>>
> this CAN be done but it gets tricky.
>
> usually we do NAT on the external interface. the trouble is that you don't
> want that traffic to go through the external interface, but to get routed
> back in.
> you really should add a special rule group that traps the packets as they
> come in on the internal interface and send them to nat if they are destined
> for the other internal machine. (and the return packets).
>
> I have never done this so when you work it out let us know :-)
I understood this to be just a standard redirect from the outside
interface to a server inside the LAN. To redirect inside traffic to
that same machine takes another redirect and NAT rule:
nat on $int_if proto tcp from $internal_net to $webserver port 80 -> $int_if
rdr on $int_if proto tcp from $internal_net to $internal_addr port 80 -> $webserver port 80
Adapted from my rules for a different type of server, so might need
adjustment. Again, this is PF.
More information about the freebsd-net
mailing list