From owner-freebsd-pf@FreeBSD.ORG Fri Jan 28 09:28:59 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2E1E51065672 for ; Fri, 28 Jan 2011 09:28:59 +0000 (UTC) (envelope-from andy@time-domain.co.uk) Received: from mail.time-domain.co.uk (81-179-248-237.static.dsl.pipex.com [81.179.248.237]) by mx1.freebsd.org (Postfix) with ESMTP id 984738FC20 for ; Fri, 28 Jan 2011 09:28:58 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.time-domain.co.uk (8.14.3/8.14.3) with ESMTP id p0S9SqqT021383; Fri, 28 Jan 2011 09:28:53 GMT Date: Fri, 28 Jan 2011 09:28:52 +0000 (GMT) From: andy thomas X-X-Sender: andy-tds@mail.time-domain.co.uk To: Artyom Viklenko In-Reply-To: <4D428897.4030505@aws-net.org.ua> Message-ID: References: <4D428897.4030505@aws-net.org.ua> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Virus-Scanned: clamav-milter 0.96.5 at mail X-Virus-Status: Clean Cc: freebsd-pf@freebsd.org Subject: Re: PF port forward problem with Sonicwall VPN X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jan 2011 09:28:59 -0000 On Fri, 28 Jan 2011, Artyom Viklenko wrote: > 28.01.2011 10:49, andy thomas : >> I'm maintaining some OpenBSD-based firewalls and have been really >> stumped with a problem when trying to add a Sonicwall VPN appliance >> behind the firewall, and thought I'd ask here for help. >> >> The Sonicwall device uses SSL on port 443 for it's external VPN traffic >> and listens on other ports for internal LAN traffic and it uses a single >> network interface for this. On our installation, there is a webmail >> server behind the firewall listening on port 443 and the existing PF >> rule for this is (abbreviated for clarity): >> >> ext_if="vr0" >> int_if="vr1" >> >> webmail="192.168.30.14" >> >> rdr pass log on $ext_if proto tcp from any to $ext_if port 443 -> >> $webmail port 443 >> >> This works fine so as external port 443 is already in use for webmail, I >> decided to use external port 444 for the Sonicwall and added these two >> extra rules: >> >> sonicwall="192.168.30.28" >> >> rdr pass log on $ext_if proto tcp from any to $ext_if port 444 -> >> $sonicwall port 443 >> >> However, the Sonicwall cannot be accessed from the external port 444 >> although it can be accessed internall on port 443 of course. I have > > Check your filtering rules on internal interface, may be you have 'pass' > for trafic to webmail host and doesn't for sonicwall? Thanks for the quick response - here are the existing internal interface rules: # int_if pass in on $int_if proto carp keep state pass out on vr1 proto carp keep state pass in on $int_if proto tcp from any to any flags S/SA keep state pass in on $int_if proto { udp, icmp } from any to any keep state pass out on $int_if all keep state label "int_net:$if:out" I should add this firewall also handles IPsec VPN with other rules using port 500 and the enc0 interface but this should not affect Sonicwall on port 443, should it? If it's of any help I can post the entire pf.conf but it's very long - I didn't write this and have only recently taken over responsibility for the firewalls along with the FreeBSD-based server infrastructure. (The IPsec VPN doesn't work very well with ShrewSoft VPN clients under Windows 7 so the company bought the Sonicwall as a solution for this problem although IPsec/Shrewsoft VPN works fine with machines running Windows XP). thanks, Andy