Date: Fri, 19 Aug 2005 10:40:18 -0700 From: Steven Schoch <schoch@spamcop.net> To: freebsd-pf@freebsd.org Subject: rdr only works for some ports Message-ID: <43061982.2040907@spamcop.net>
next in thread | raw e-mail | index | archive | help
I'm having trouble getting rdr to work. Here's the configuration:
The host on which pf is running has it's own services, particularly HTTP
and SSH, so I set up a pool of other (external) addresses to use for NAT
use. Thus, I have my aliases set up in /etc/rc.conf:
ifconfig_fxp0="inet x.y.z.5 netmask 255.255.255.0"
ifconfig_fxp1="inet 192.168.1.5 netmask 255.255.255.0"
ifconfig_fxp0_alias0="x.y.z.20 netmask 0xffffffff"
ifconfig_fxp0_alias1="x.y.z.21 netmask 0xffffffff"
ifconfig_fxp0_alias2="x.y.z.22 netmask 0xffffffff"
ifconfig_fxp0_alias3="x.y.z.23 netmask 0xffffffff"
ifconfig_fxp0_alias4="x.y.z.24 netmask 0xffffffff"
# And my pf.conf file is set up like this:
ext_if="fxp0"
external_addr="x.y.z.5"
# These are my external NAT addresses
nat1="x.y.z.21"
nat2="x.y.z.22"
nat3="x.y.z.23"
nat4="x.y.z.24"
int_if="fxp1"
internal_net="192.168.1.0/24"
table <nat_pool> { $nat1, $nat2, $nat3, $nat4 }
# I then have NAT set like this:
nat on $ext_if inet from $internal_net to any -> <nat_pool>
# Next, I want SSH and TAPI to go to particular machines on the internal
net:
rdr on $ext_if proto tcp from any to $nat1/32 port 22 -> 192.168.1.101
rdr on $ext_if proto tcp from any to $nat1/32 port 5000 -> 192.168.1.7
# And some of my internal users connect to X11 clients, so I map some
X11 ports:
rdr on $ext_if proto tcp from any to <nat_pool> port 6104 -> 192.168.1.104
rdr on $ext_if proto tcp from any to <nat_pool> port 6105 -> 192.168.1.105
rdr on $ext_if proto tcp from any to <nat_pool> port 6106 -> 192.168.1.106
Except for the "x.y.z", everything is exactly taken from the files.
The problem: connecting to the X11 ports work (DISPLAY=nat1.domain:104
works from an external Internet address), but ssh to nat1 times out.
Yes, I know 192.168.1.101 is running a valid SSH server on port 22,
since I also have a Netgear NAT router pointing to it that works just
fine. The same for the system listening on port 5000.
Yes, I tried substituting <nat_pool> for $nat1/32 and visa versa an a
test, but the end result is the same: Port 6104 works, but ports 22 and
5000 do not.
Is there anything obvious I'm doing wrong? Is this a FAQ?
--
Steve
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43061982.2040907>