From owner-freebsd-pf@FreeBSD.ORG Tue Mar 22 09:40:55 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CD715106566C for ; Tue, 22 Mar 2011 09:40:55 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-ww0-f50.google.com (mail-ww0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id 6DD438FC08 for ; Tue, 22 Mar 2011 09:40:55 +0000 (UTC) Received: by wwc33 with SMTP id 33so8443366wwc.31 for ; Tue, 22 Mar 2011 02:40:54 -0700 (PDT) Received: by 10.227.205.12 with SMTP id fo12mr5111904wbb.70.1300786853846; Tue, 22 Mar 2011 02:40:53 -0700 (PDT) Received: from dfleuriot-at-hi-media.com ([83.167.62.196]) by mx.google.com with ESMTPS id l24sm1538495wbc.64.2011.03.22.02.40.51 (version=SSLv3 cipher=OTHER); Tue, 22 Mar 2011 02:40:52 -0700 (PDT) Message-ID: <4D886EA2.2070000@my.gd> Date: Tue, 22 Mar 2011 10:40:50 +0100 From: Damien Fleuriot User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.15) Gecko/20110303 Thunderbird/3.1.9 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: PF port forward problem with Sonicwall VPN (revisited) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Mar 2011 09:40:56 -0000 On 3/22/11 9:58 AM, andy thomas wrote: > ---------- Forwarded message ---------- > Date: Fri, 28 Jan 2011 08:49:27 +0000 (GMT) > From: andy thomas > To: freebsd-pf@freebsd.org > Subject: PF port forward problem with Sonicwall VPN > > I'm maintaining some OpenBSD-based firewalls and have been really > stumped with a problem when trying to add a Sonicwall VPN appliance > behind the firewall, and thought I'd ask here for help. > > The Sonicwall device uses SSL on port 443 for it's external VPN traffic > and listens on other ports for internal LAN traffic and it uses a single > network interface for this. On our installation, there is a webmail > server behind the firewall listening on port 443 and the existing PF > rule for this is (abbreviated for clarity): > > ext_if="vr0" > int_if="vr1" > > webmail="192.168.30.14" > > rdr pass log on $ext_if proto tcp from any to $ext_if port 443 -> > $webmail port 443 > Ok > This works fine so as external port 443 is already in use for webmail, I > decided to use external port 444 for the Sonicwall and added these two > extra rules: > > sonicwall="192.168.30.28" > > rdr pass log on $ext_if proto tcp from any to $ext_if port 444 -> > $sonicwall port 443 > This rule rewrites the destination IP address so that it is now the sonicwall's instead of your PF's public IP. This rule rewrites the destination TCP port so that it is now port 443 instead of the original port 444. Take good note that the source address remains unchanged so your sonicwall needs to know a route back to the client. > However, the Sonicwall cannot be accessed from the external port 444 > although it can be accessed internallt on port 443 of course. I have > tested this rule by changing it to point to the webmail server like this: > > rdr pass log on $ext_if proto tcp from any to $ext_if port 444 -> > $webmail port 443 > Seeing you can access your webmail just fine on port 444 but not the sonicwall clearly shows the problem is with the sonicwall, not PF. Possible issues to investigate: 1/ lack of a default gateway on your sonicwall 2/ misconfigured security rules on your sonicwall not allowing the traffic. > and this works fine as I can access webmail on port 444. But why can't I > access the Sonicwall on port 444? Does anyone know if the Sonicwall uses > additional ports or has anyone got this device to with with a PF-based > firewall? > > Thanks in advance for any suggestions, > I would advise you change your RDR rule to a NAT rule, so that traffic will be seen coming from the PF's interface (choose which) and the sonicwall will have a direct connection with this network. > Andy > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"