pf rdr not redirecting completely

Patrick Goggins pgoggins at cc.edu
Tue Mar 24 20:46:32 PDT 2009 

The problem is with the client being behind the transparent bridged interface, the management interface is not part of the bridge and when clients hit the rdr rule without hitting the IP stack it will not work if without an addressed bridge. To work-around this I've noticed some referencing to using the explicit route-to option but have been getting a syntax error

Rdr pass in on $int_if route-to lo0 proto tcp from any to any port 80 -> 127.0.0.1 port 80

What am I missing with this syntax?


~Patrick


-----Original Message-----
From: owner-freebsd-pf at freebsd.org [mailto:owner-freebsd-pf at freebsd.org] On Behalf Of Patrick Goggins
Sent: Wednesday, March 18, 2009 8:20 AM
To: freebsd-pf at freebsd.org
Subject: pf rdr not redirecting completely (Correction)

Slight correction:

Working rule
rdr on $int_if proto tcp from 172.20.0.0/16 to any port {80, 443} -> 172.20.5.239 port 80

rule attempting but does not work
rdr on $int_if proto tcp from 172.20.0.0/16 to any port {80, 443} -> 172.20.5.240 port 80


~Patrick

-----Original Message-----
From: owner-freebsd-pf at freebsd.org [mailto:owner-freebsd-pf at freebsd.org] On Behalf Of Patrick Goggins
Sent: Wednesday, March 18, 2009 8:17 AM
To: freebsd-pf at freebsd.org
Subject: pf rdr not redirecting completely

I'm running into a problem with a transparent bridge and the rdr functionality where when a device hits the rule they are being redirect but are unable to fully connect to the server.


Pf is set to skip on the management, external, and bridged interfaces; filtering is just on the internal interface.

Eth0: 172.20.5.240 (management interface, also serving apache pages)
Eth1: external, non-addressed
Eth2: internal, non-addressed
Bridge0: bridge between Eth1 and Eth2
Eth0 and Eth1 are on the same vlan

[Lan where 172.20.5.240 resides]---[managed switch]---[external interface]----[bridge0]-----[internal interface]------[unmanaged switch]------[test system]

Here's the rule I'm trying to run:

rdr on $int_if proto tcp from 172.20.0.0/16 to any port {80, 443} -> 172.20.68.31 port 80

additionally the following rules apply:

pass quick on $int_if proto tcp from any to any


When testing the rdr rule on another ip 172.20.5.239 (another physical server), the rule works correctly. I'm thinking it's having issues going out and then coming back in because it's seeing the request twice and dropping it??? 



~Patrick

More information about the freebsd-pf mailing list