From owner-freebsd-pf@FreeBSD.ORG Sat Jul 11 19:38:09 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D2E931065672 for ; Sat, 11 Jul 2009 19:38:09 +0000 (UTC) (envelope-from lists@loveturtle.net) Received: from loveturtle.net (loveturtle.net [216.89.228.174]) by mx1.freebsd.org (Postfix) with ESMTP id A3AE28FC0A for ; Sat, 11 Jul 2009 19:38:09 +0000 (UTC) (envelope-from lists@loveturtle.net) Received: from localhost (localhost [127.0.0.1]) by loveturtle.net (Postfix) with ESMTP id 112C2108F07 for ; Sat, 11 Jul 2009 15:20:22 -0400 (EDT) X-Virus-Scanned: amavisd-new at loveturtle.net Received: from loveturtle.net ([127.0.0.1]) by localhost (loveturtle.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YQSQl6uP3n+T for ; Sat, 11 Jul 2009 15:20:17 -0400 (EDT) Received: from vier.loveturtle.net (vier.loveturtle.net [216.182.254.140]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by loveturtle.net (Postfix) with ESMTPSA id 32D4D108EFC for ; Sat, 11 Jul 2009 15:20:17 -0400 (EDT) Message-ID: <4A58E5EC.1020905@loveturtle.net> Date: Sat, 11 Jul 2009 15:20:12 -0400 From: Dillon Kass User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20090223 Thunderbird/3.0b2 MIME-Version: 1.0 CC: freebsd-pf@freebsd.org References: <4A4D2010.4020908@simplenet.com> <4A4DE199.4010701@andric.com> <4A4F0992.8090906@simplenet.com> In-Reply-To: <4A4F0992.8090906@simplenet.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Extremely simple redirect rule doesnt appear to be working X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Jul 2009 19:38:10 -0000 It's hard to say exactly what is happening here without more information but here is the likely scenario. What is most likely happening is simple but a little tricky to notice. Your rdr rule is likely working fine. For the sake of this example lets just say that your lan is 192.168.0.0/24 your router is 192.168.0.1 the machine you want to forward to is 192.168.0.2 and your computer is 192.168.0.100 So lets say you have your rdr rule as follows rdr pass inet proto tcp from any to 209.131.36.158 port 80 -> 192.168.0.2 port 80 This rule is probably working just fine, this is most likely what is happening. Your computer is 192.168.0.100 and you send a request to 209.131.36.158 which is redirected to 192.168.0.2, 192.168.0.2 recives a request with the source ip of 192.168.0.100 and responds directly to you. This is the problem. You send a packet to 209.131.36.158 You get a response from 192.168.0.2, the packet is then dropped because your computer has no idea why 192.168.0.2 is sending you what would appear to be random crap. Install something like trafshow and open it up and attempt to connect again, look for two things. look at pfctl -vsr and see if your rule is being hit, and look at the output of trafshow and see if you're getting tcp traffic directly from the ip you're forwarding to. If you are than this is your problem. You should be able to use some fancy nat magic in pf so that the forwarded packet has a different source address (not from the same subnet) which will cause your 192.168.0.2 to send it's packet back to the router instead of directly to your 192.168.0.100 lan machine. On the way back through the router you can use some more fancy nat magic to rewrite the replys source ip to be 209.131.36.158 instead of 192.168.0.2.