From owner-freebsd-pf@FreeBSD.ORG Fri Jan 28 09:06:03 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2D28D1065674 for ; Fri, 28 Jan 2011 09:06:03 +0000 (UTC) (envelope-from andy@time-domain.co.uk) Received: from mail.time-domain.co.uk (81-179-248-237.static.dsl.pipex.com [81.179.248.237]) by mx1.freebsd.org (Postfix) with ESMTP id B5E088FC0C for ; Fri, 28 Jan 2011 09:06:02 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.time-domain.co.uk (8.14.3/8.14.3) with ESMTP id p0S8nRnn021163 for ; Fri, 28 Jan 2011 08:49:27 GMT Date: Fri, 28 Jan 2011 08:49:27 +0000 (GMT) From: andy thomas X-X-Sender: andy-tds@mail.time-domain.co.uk To: freebsd-pf@freebsd.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Virus-Scanned: clamav-milter 0.96.5 at mail X-Virus-Status: Clean Subject: PF port forward problem with Sonicwall VPN X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jan 2011 09:06:03 -0000 I'm maintaining some OpenBSD-based firewalls and have been really stumped with a problem when trying to add a Sonicwall VPN appliance behind the firewall, and thought I'd ask here for help. The Sonicwall device uses SSL on port 443 for it's external VPN traffic and listens on other ports for internal LAN traffic and it uses a single network interface for this. On our installation, there is a webmail server behind the firewall listening on port 443 and the existing PF rule for this is (abbreviated for clarity): ext_if="vr0" int_if="vr1" webmail="192.168.30.14" rdr pass log on $ext_if proto tcp from any to $ext_if port 443 -> $webmail port 443 This works fine so as external port 443 is already in use for webmail, I decided to use external port 444 for the Sonicwall and added these two extra rules: sonicwall="192.168.30.28" rdr pass log on $ext_if proto tcp from any to $ext_if port 444 -> $sonicwall port 443 However, the Sonicwall cannot be accessed from the external port 444 although it can be accessed internall on port 443 of course. I have tested this rule by changing it to point to the webmail server like this: rdr pass log on $ext_if proto tcp from any to $ext_if port 444 -> $webmail port 443 and this works fine as I can access webmail on port 444. But why can't I access the Sonicwall on port 444? Does anyone know if the Sonicwall uses additional ports or has anyone got this device to with with a PF-based firewall? Thanks in advance for any suggestions, Andy