Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 22 Mar 2011 10:40:50 +0100
From:      Damien Fleuriot <ml@my.gd>
To:        freebsd-pf@freebsd.org
Subject:   Re: PF port forward problem with Sonicwall VPN (revisited)
Message-ID:  <4D886EA2.2070000@my.gd>
In-Reply-To: <Pine.GSO.4.64.1103220830580.4247@mail.time-domain.co.uk>
References:  <Pine.GSO.4.64.1103220830580.4247@mail.time-domain.co.uk>

next in thread | previous in thread | raw e-mail | index | archive | help
On 3/22/11 9:58 AM, andy thomas wrote:
> ---------- Forwarded message ----------
> Date: Fri, 28 Jan 2011 08:49:27 +0000 (GMT)
> From: andy thomas <andy@time-domain.co.uk>
> To: freebsd-pf@freebsd.org
> Subject: PF port forward problem with Sonicwall VPN
> 
> I'm maintaining some OpenBSD-based firewalls and have been really
> stumped with a problem when trying to add a Sonicwall VPN appliance
> behind the firewall, and thought I'd ask here for help.
> 
> The Sonicwall device uses SSL on port 443 for it's external VPN traffic
> and listens on other ports for internal LAN traffic and it uses a single
> network interface for this. On our installation, there is a webmail
> server behind the firewall listening on port 443 and the existing PF
> rule for this is (abbreviated for clarity):
> 
> ext_if="vr0"
> int_if="vr1"
> 
> webmail="192.168.30.14"
> 
> rdr pass log on $ext_if proto tcp from any to $ext_if port 443  ->
> $webmail port 443
> 

Ok


> This works fine so as external port 443 is already in use for webmail, I
> decided to use external port 444 for the Sonicwall and added these two
> extra rules:
> 
> sonicwall="192.168.30.28"
> 
> rdr pass log on $ext_if proto tcp from any to $ext_if port 444  ->
> $sonicwall port 443
> 

This rule rewrites the destination IP address so that it is now the
sonicwall's instead of your PF's public IP.
This rule rewrites the destination TCP port so that it is now port 443
instead of the original port 444.

Take good note that the source address remains unchanged so your
sonicwall needs to know a route back to the client.

> However, the Sonicwall cannot be accessed from the external port 444
> although it can be accessed internallt on port 443 of course. I have
> tested this rule by changing it to point to the webmail server like this:
> 
> rdr pass log on $ext_if proto tcp from any to $ext_if port 444  ->
> $webmail port 443
> 

Seeing you can access your webmail just fine on port 444 but not the
sonicwall clearly shows the problem is with the sonicwall, not PF.

Possible issues to investigate:

1/ lack of a default gateway on your sonicwall
2/ misconfigured security rules on your sonicwall not allowing the traffic.


> and this works fine as I can access webmail on port 444. But why can't I
> access the Sonicwall on port 444? Does anyone know if the Sonicwall uses
> additional ports or has anyone got this device to with with a PF-based
> firewall?
> 
> Thanks in advance for any suggestions,
> 

I would advise you change your RDR rule to a NAT rule, so that traffic
will be seen coming from the PF's interface (choose which) and the
sonicwall will have a direct connection with this network.


> Andy
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D886EA2.2070000>