PF port forward problem with Sonicwall VPN (revisited)

andy thomas andy at time-domain.co.uk
Tue Mar 22 09:23:00 UTC 2011 

At the end of January I posted this message (see below) regarding a 
problem with forwarding incoming traffic on port 444 to an internal IP 
address on port 443. At the time I didn't get very far with this and the 
problem "went off the boil" a bit after we upgraded the ShrewSoft VPN 
installations on the remote Windows PCs to the latest available version 
and this works fine with the existing IPSec installation on the firewall, 
which has taken the pressure off me.

But I've now started looking at the problem afresh and after logging into 
the Sonicwall VPN appliance's web interface from a local PC, there is a 
diagnostic ping utility on the Sonicwall - it is possible to ping the 
internal firewall interface vr1 (which uses the IP address 192.168.30.1) 
but attempts to ping the external interface on vr0 or any external address 
fail. The pf ruleset remains as before:

 	ext_if="vr0"			(external IP address)
 	int_if="vr1" 			(192.168.30.1)
 	sonicwall="192.168.30.28"

 	rdr pass log on $ext_if proto tcp from any to $ext_if port 444  -> $sonicwall port 443

An almost identical rule is used for a webmail server except that there is 
no port address translation (ie, external port 443 forwards directly to 
internal port 443) and this has no problems.

Clearly something is missing from my Sonicwall rule that is blocking 
traffic from the Sonicwall to the external interface - as I'm doing PAT as 
well as NAT in this instance, do I need to add an additional rule(s)?

Andy

---------- Forwarded message ----------
Date: Fri, 28 Jan 2011 08:49:27 +0000 (GMT)
From: andy thomas <andy at time-domain.co.uk>
To: freebsd-pf at freebsd.org
Subject: PF port forward problem with Sonicwall VPN

I'm maintaining some OpenBSD-based firewalls and have been really stumped with 
a problem when trying to add a Sonicwall VPN appliance behind the firewall, and 
thought I'd ask here for help.

The Sonicwall device uses SSL on port 443 for it's external VPN traffic and 
listens on other ports for internal LAN traffic and it uses a single network 
interface for this. On our installation, there is a webmail server behind the 
firewall listening on port 443 and the existing PF rule for this is 
(abbreviated for clarity):

ext_if="vr0"
int_if="vr1"

webmail="192.168.30.14"

rdr pass log on $ext_if proto tcp from any to $ext_if port 443  -> $webmail 
port 443

This works fine so as external port 443 is already in use for webmail, I 
decided to use external port 444 for the Sonicwall and added these two extra 
rules:

sonicwall="192.168.30.28"

rdr pass log on $ext_if proto tcp from any to $ext_if port 444  -> $sonicwall 
port 443

However, the Sonicwall cannot be accessed from the external port 444 although 
it can be accessed internallt on port 443 of course. I have tested this 
rule by changing it to point to the webmail server like this:

rdr pass log on $ext_if proto tcp from any to $ext_if port 444  -> $webmail 
port 443

and this works fine as I can access webmail on port 444. But why can't I access 
the Sonicwall on port 444? Does anyone know if the Sonicwall uses additional 
ports or has anyone got this device to with with a PF-based firewall?

Thanks in advance for any suggestions,

Andy

More information about the freebsd-pf mailing list