Date: Fri, 28 Jan 2011 11:12:55 +0200 From: Artyom Viklenko <artem@aws-net.org.ua> To: andy thomas <andy@time-domain.co.uk> Cc: freebsd-pf@freebsd.org Subject: Re: PF port forward problem with Sonicwall VPN Message-ID: <4D428897.4030505@aws-net.org.ua> In-Reply-To: <Pine.GSO.4.64.1101280827040.13014@mail.time-domain.co.uk> References: <Pine.GSO.4.64.1101280827040.13014@mail.time-domain.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
28.01.2011 10:49, andy thomas пишет: > I'm maintaining some OpenBSD-based firewalls and have been really > stumped with a problem when trying to add a Sonicwall VPN appliance > behind the firewall, and thought I'd ask here for help. > > The Sonicwall device uses SSL on port 443 for it's external VPN traffic > and listens on other ports for internal LAN traffic and it uses a single > network interface for this. On our installation, there is a webmail > server behind the firewall listening on port 443 and the existing PF > rule for this is (abbreviated for clarity): > > ext_if="vr0" > int_if="vr1" > > webmail="192.168.30.14" > > rdr pass log on $ext_if proto tcp from any to $ext_if port 443 -> > $webmail port 443 > > This works fine so as external port 443 is already in use for webmail, I > decided to use external port 444 for the Sonicwall and added these two > extra rules: > > sonicwall="192.168.30.28" > > rdr pass log on $ext_if proto tcp from any to $ext_if port 444 -> > $sonicwall port 443 > > However, the Sonicwall cannot be accessed from the external port 444 > although it can be accessed internall on port 443 of course. I have Check your filtering rules on internal interface, may be you have 'pass' for trafic to webmail host and doesn't for sonicwall? > tested this rule by changing it to point to the webmail server like this: > > rdr pass log on $ext_if proto tcp from any to $ext_if port 444 -> > $webmail port 443 > > and this works fine as I can access webmail on port 444. But why can't I > access the Sonicwall on port 444? Does anyone know if the Sonicwall uses > additional ports or has anyone got this device to with with a PF-based > firewall? > > Thanks in advance for any suggestions, > > Andy > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" -- Sincerely yours, Artyom Viklenko. ------------------------------------------------------- artem@aws-net.org.ua | http://www.aws-net.org.ua/~artem artem@viklenko.net | JID: artem@jabber.aws-net.org.ua FreeBSD: The Power to Serve - http://www.freebsd.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D428897.4030505>