From owner-freebsd-net@freebsd.org Mon Feb 22 02:25:14 2016 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8C6CCAAF3D5 for ; Mon, 22 Feb 2016 02:25:14 +0000 (UTC) (envelope-from wblock@wonkity.com) Received: from wonkity.com (wonkity.com [67.158.26.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "wonkity.com", Issuer "wonkity.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 3A8DB1D83; Mon, 22 Feb 2016 02:25:13 +0000 (UTC) (envelope-from wblock@wonkity.com) Received: from wonkity.com (localhost [127.0.0.1]) by wonkity.com (8.15.2/8.15.2) with ESMTPS id u1M2PDIM016770 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sun, 21 Feb 2016 19:25:13 -0700 (MST) (envelope-from wblock@wonkity.com) Received: from localhost (wblock@localhost) by wonkity.com (8.15.2/8.15.2/Submit) with ESMTP id u1M2PDI7016767; Sun, 21 Feb 2016 19:25:13 -0700 (MST) (envelope-from wblock@wonkity.com) Date: Sun, 21 Feb 2016 19:25:12 -0700 (MST) From: Warren Block To: Julian Elischer cc: galtsev@kicp.uchicago.edu, freebsd-net@freebsd.org Subject: Re: gateway machine port redirect question In-Reply-To: <56CA5519.4080000@freebsd.org> Message-ID: References: <43887.128.135.52.6.1456021321.squirrel@cosmo.uchicago.edu> <56CA5519.4080000@freebsd.org> User-Agent: Alpine 2.20 (BSF 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (wonkity.com [127.0.0.1]); Sun, 21 Feb 2016 19:25:13 -0700 (MST) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Feb 2016 02:25:14 -0000 On Sun, 21 Feb 2016, Julian Elischer wrote: > On 20/02/2016 6:22 PM, Valeri Galtsev wrote: >> Dear Experts, >> >> I'm one of Linux refugees who several years ago migrated majority of >> servers from Linux to FreeBSD and is happy since. When recently I needed >> to set up gateway (Firewall + NAT) machine, I set up FreeBSD 10.2 on it, >> used ipwf and natd, and all works well, machines behind gateway on LAN can >> happily reach real network. I hit one snag later though: When I tried to >> redirect TCP traffic on some port to machine on internal private network >> behind gateway, whatever I do doesn't work. >> >> Could somebody point to simple example (it doesn't matter which components >> are involved, I don't feel married to ipfw and natd) for FreeBSD 10.2 that >> makes the machine gateway, and one of the ports of traffic coming from >> public network is redirected to machine on private network behind gateway. >> Something I can reproduce that works, which I then will gradually convert >> into what I need. Other way around: adding redirection to already working >> (and a bit sophisticated) gateway I set up appears to be beyond my mental >> abilities: a couple of weeks of frustration confirm it to me. >> >> I really do not want to go back to Linux to do this, even though I feel I >> can do it based on Linux in a course of an hour or two - I've set up a few >> of them in the past using Linux, that's the longest it took me in my >> recollection. >> > this CAN be done but it gets tricky. > > usually we do NAT on the external interface. the trouble is that you don't > want that traffic to go through the external interface, but to get routed > back in. > you really should add a special rule group that traps the packets as they > come in on the internal interface and send them to nat if they are destined > for the other internal machine. (and the return packets). > > I have never done this so when you work it out let us know :-) I understood this to be just a standard redirect from the outside interface to a server inside the LAN. To redirect inside traffic to that same machine takes another redirect and NAT rule: nat on $int_if proto tcp from $internal_net to $webserver port 80 -> $int_if rdr on $int_if proto tcp from $internal_net to $internal_addr port 80 -> $webserver port 80 Adapted from my rules for a different type of server, so might need adjustment. Again, this is PF.