From owner-freebsd-pf@FreeBSD.ORG Mon Jan 31 15:31:43 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D81AA1065696 for ; Mon, 31 Jan 2011 15:31:43 +0000 (UTC) (envelope-from andy@time-domain.co.uk) Received: from mail.time-domain.co.uk (81-179-248-237.static.dsl.pipex.com [81.179.248.237]) by mx1.freebsd.org (Postfix) with ESMTP id 6A1678FC28 for ; Mon, 31 Jan 2011 15:31:42 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.time-domain.co.uk (8.14.3/8.14.3) with ESMTP id p0VFVdMP014503; Mon, 31 Jan 2011 15:31:39 GMT Date: Mon, 31 Jan 2011 15:31:39 +0000 (GMT) From: andy thomas X-X-Sender: andy-tds@mail.time-domain.co.uk To: Daniel Hartmeier In-Reply-To: <20110131152001.GE5861@insomnia.benzedrine.cx> Message-ID: References: <20110131152001.GE5861@insomnia.benzedrine.cx> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Virus-Scanned: clamav-milter 0.96.5 at mail X-Virus-Status: Clean Cc: arun@netstat-a.net, freebsd-pf@freebsd.org Subject: Re: PF port forward problem with Sonicwall VPN X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Jan 2011 15:31:43 -0000 On Mon, 31 Jan 2011, Daniel Hartmeier wrote: > On Fri, Jan 28, 2011 at 08:49:27AM +0000, andy thomas wrote: > >> and this works fine as I can access webmail on port 444. But why can't I >> access the Sonicwall on port 444? Does anyone know if the Sonicwall uses >> additional ports or has anyone got this device to with with a PF-based >> firewall? > > First, I'd try to connect to the Sonicwall from the pf box itself, > so it's using its local address. If that doesn't work, how's the > pf box different from any other local client, for which this works? > > Then try and add NAT on the pf box' internal interface, so redirected > connections should work like the previous test. If they don't, the > problem clearly is with the pf box. I've logged into the pf box via ssh and used the lynx text browser to access the Sonicwall's web interface on the internal interface and this works fine. > But if they do work, but don't without NAT: > > Check if maybe the Sonicwall has a list of networks it accepts > connections from. It might default to refuse connections from > non-local networks. I'll get the guy who installed the Sonicwall to check this. > Also check if the Sonicwall has a correct default route. Without > a correct default route, non-local connections would fail precisely > in the way you describe... I'd thought of that and the installer has confirmed it is set up correctly. Thanks for getting back to me, Andy