Date: Sun, 21 Feb 2016 16:23:53 -0800 From: Julian Elischer <julian@freebsd.org> To: galtsev@kicp.uchicago.edu, freebsd-net@freebsd.org Subject: Re: gateway machine port redirect question Message-ID: <56CA5519.4080000@freebsd.org> In-Reply-To: <43887.128.135.52.6.1456021321.squirrel@cosmo.uchicago.edu> References: <43887.128.135.52.6.1456021321.squirrel@cosmo.uchicago.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On 20/02/2016 6:22 PM, Valeri Galtsev wrote: > Dear Experts, > > I'm one of Linux refugees who several years ago migrated majority of > servers from Linux to FreeBSD and is happy since. When recently I needed > to set up gateway (Firewall + NAT) machine, I set up FreeBSD 10.2 on it, > used ipwf and natd, and all works well, machines behind gateway on LAN can > happily reach real network. I hit one snag later though: When I tried to > redirect TCP traffic on some port to machine on internal private network > behind gateway, whatever I do doesn't work. > > Could somebody point to simple example (it doesn't matter which components > are involved, I don't feel married to ipfw and natd) for FreeBSD 10.2 that > makes the machine gateway, and one of the ports of traffic coming from > public network is redirected to machine on private network behind gateway. > Something I can reproduce that works, which I then will gradually convert > into what I need. Other way around: adding redirection to already working > (and a bit sophisticated) gateway I set up appears to be beyond my mental > abilities: a couple of weeks of frustration confirm it to me. > > I really do not want to go back to Linux to do this, even though I feel I > can do it based on Linux in a course of an hour or two - I've set up a few > of them in the past using Linux, that's the longest it took me in my > recollection. > > Thanks in advance for all your answers and pointers! > > Valeri > > ++++++++++++++++++++++++++++++++++++++++ > Valeri Galtsev > Sr System Administrator > Department of Astronomy and Astrophysics > Kavli Institute for Cosmological Physics > University of Chicago > Phone: 773-702-4247 > ++++++++++++++++++++++++++++++++++++++++ > _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > this CAN be done but it gets tricky. usually we do NAT on the external interface. the trouble is that you don't want that traffic to go through the external interface, but to get routed back in. you really should add a special rule group that traps the packets as they come in on the internal interface and send them to nat if they are destined for the other internal machine. (and the return packets). I have never done this so when you work it out let us know :-)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?56CA5519.4080000>