Hi All,
I was doing the NAT testing(redirection) to access internal webserver from notebook with the diagram below:
notebook--->----em0[OpenBSD 4.9 PF]em1--->---webserver(TCP/443)
em0(external) is 192.168.1.218/24
notebook is 192.168.1.21/24
em1(internal) is 192.168.2.218/24
internal webserver is 192.168.2.80/24
Webserver gateway is em1(192.168.2.218)
Firewall default gateway is 192.168.1.1
notebook gateway is em0(192.168.1.218)
IP alias for NAT on em0 is 192.168.1.232/32 (for redirecting the incoming traffic from 192.168.1.232 to 192.168.2.80)
net.inet.ip.forwarding=1
My rule is:
# Tables: (1)
table <tbl.r0.d> { 192.168.1.218 , 192.168.1.232 , 192.168.2.218 }
#
# Rule 0 (NAT)
match in on em0 proto {tcp udp icmp} from 192.168.1.21 to 192.168.1.232 rdr-to 192.168.2.80
# SSH mgmt rule
pass in quick inet proto tcp from 192.168.1.21 to <tbl.r0.d> port 22
# Rule 0 (em0,em1) permit notebook to access https on internal webserver
pass log quick on { em0 em1 } inet proto tcp from 192.168.1.21 to 192.168.1.232 port 443
# Deny all
block quick inet from any to any no state
IP alias (192.168.1.232) was configured on em0(external)
But the traffic can't pass through the internal webserver.
I was doing tcpdump on both interfaces:
tcpdump on em0(external):
Code:
# tcpdump -npi em0 host 192.168.1.232
tcpdump: listening on em0, link-type EN10MB
21:36:37.611311 arp who-has 192.168.1.232 tell 192.168.1.21
21:36:37.611369 arp reply 192.168.1.232 is-at 00:0c:29:97:2a:44
tcpdump: WARNING: compensating for unaligned libpcap packets
21:36:37.611708 192.168.1.21.4963 > 192.168.1.232.443: S 4176778738:4176778738(0 ) win 65535 <mss 1460,nop,wscale 1,nop,nop,sackOK> (DF)
21:36:37.611789 192.168.1.232.443 > 192.168.1.21.4963: R 0:0(0) ack 4176778739 w in 0 (DF)
21:36:38.063449 192.168.1.21.4963 > 192.168.1.232.443: S 4176778738:4176778738(0 ) win 65535 <mss 1460,nop,wscale 1,nop,nop,sackOK> (DF)
21:36:38.063598 192.168.1.232.443 > 192.168.1.21.4963: R 0:0(0) ack 1 win 0 (DF)
21:36:38.566376 192.168.1.21.4963 > 192.168.1.232.443: S 4176778738:4176778738(0 ) win 65535 <mss 1460,nop,wscale 1,nop,nop,sackOK> (DF)
21:36:38.566453 192.168.1.232.443 > 192.168.1.21.4963: R 0:0(0) ack 1 win 0 (DF)
and tcpdump on em1(internal)
Code:
# tcpdump -npi em1 port 443
tcpdump: listening on em1, link-type EN10MB
It seemed that the translation didn't work and the request can't be redirected to internal webserver.
When I was doing the testing from notebook to internal webserver, the notebook was able to access internal webserver port 443. But when I was testing using rdr-to (NAT) it doesn't work.
Is there anything missing/misconfigured in my config?
Regards,
Stefan