View Single Post
Old 21st June 2019
junk's Avatar
junk junk is offline
New User
 
Join Date: Jun 2018
Posts: 10
Default

pf user guide's example:

Code:
pass in on $int_if proto tcp from $int_net to egress port 80 rdr-to $server
pass out on $int_if proto tcp to $server port 80 received-on $int_if nat-to $int_if
My initial rules:

Code:
pass in on $int_if1 inet proto tcp from $client to $int_if1 port 8080 rdr-to $server port 80
pass out on $int_if1 inet proto tcp to $server port 80 received-on $int_if1 nat-to $int_if2
The only difference i see is that, apart from the port translation, in my case int_if2 is not a gateway and that the nat-to address is not the internal interface, but i doesn't make sense that you nat-to from $int_if unless $server is in the same subnet as $int_if, does it?

This would be closer to what they say in pf's faq:

Code:
int_if1 = 192.168.0.1
int_if2 = 192.168.1.1
client = 192.168.0.3
server = 192.168.1.2

pass in on $int_if1 proto tcp from $client to $int_if2 port 80 rdr-to $server
pass out on $int_if1 proto tcp to $server port 80 received-on $int_if1 nat-to $int_if1
Code:
test# tcpdump -n -i re0 port 80
tcpdump: listening on re0, link-type EN10MB
19:42:08.928850 192.168.0.3.48966 > 192.168.1.1.80: S 1766645:1766645(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 6,nop,nop,timestamp 56749928 0> (DF)
19:42:08.928944 192.168.1.1.80 > 192.168.0.3.48966: R 0:0(0) ack 1766646 win 0

test# tcpdump -n -i re1 port 80
tcpdump: listening on re1, link-type EN10MB
[none]
The pass out rule never matches? it's not even performing the rdr-to?

Quote:
destination address gets replaced with that of the internal server. The packet gets forwarded back through the internal interface and reaches the internal server. But the source address has not been translated, and still contains the local client's address,
That's what happens when you rdr-to from 192.168.0.1 to 192.168.1.2 (post #1).

Quote:
If you outline what the operational problem is that you're trying to solve, perhaps an alternative solution can be devised.
I've got computers attached to a switch (192.168.0.x) and phones connecting to a wifi AP (192.168.1.x). i have them on two different subnets because i read somewhere it's better that way. I'd like to access the AP's config from a desktop.

Last edited by junk; 21st June 2019 at 09:52 PM.
Reply With Quote