PF port forward problem with Sonicwall VPN

Artyom Viklenko artem at aws-net.org.ua
Fri Jan 28 09:13:04 UTC 2011 

28.01.2011 10:49, andy thomas пишет:
> I'm maintaining some OpenBSD-based firewalls and have been really
> stumped with a problem when trying to add a Sonicwall VPN appliance
> behind the firewall, and thought I'd ask here for help.
>
> The Sonicwall device uses SSL on port 443 for it's external VPN traffic
> and listens on other ports for internal LAN traffic and it uses a single
> network interface for this. On our installation, there is a webmail
> server behind the firewall listening on port 443 and the existing PF
> rule for this is (abbreviated for clarity):
>
> ext_if="vr0"
> int_if="vr1"
>
> webmail="192.168.30.14"
>
> rdr pass log on $ext_if proto tcp from any to $ext_if port 443 ->
> $webmail port 443
>
> This works fine so as external port 443 is already in use for webmail, I
> decided to use external port 444 for the Sonicwall and added these two
> extra rules:
>
> sonicwall="192.168.30.28"
>
> rdr pass log on $ext_if proto tcp from any to $ext_if port 444 ->
> $sonicwall port 443
>
> However, the Sonicwall cannot be accessed from the external port 444
> although it can be accessed internall on port 443 of course. I have

Check your filtering rules on internal interface, may be you have 'pass'
for trafic to webmail host and doesn't for sonicwall?


> tested this rule by changing it to point to the webmail server like this:
>
> rdr pass log on $ext_if proto tcp from any to $ext_if port 444 ->
> $webmail port 443
>
> and this works fine as I can access webmail on port 444. But why can't I
> access the Sonicwall on port 444? Does anyone know if the Sonicwall uses
> additional ports or has anyone got this device to with with a PF-based
> firewall?
>
> Thanks in advance for any suggestions,
>
> Andy
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"


-- 
            Sincerely yours,
                             Artyom Viklenko.
-------------------------------------------------------
artem at aws-net.org.ua | http://www.aws-net.org.ua/~artem
artem at viklenko.net   | JID: artem at jabber.aws-net.org.ua
FreeBSD: The Power to Serve   -  http://www.freebsd.org

More information about the freebsd-pf mailing list