Thread: pf rdr problem
View Single Post
Old 20th March 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

Code:
          INTERNET
              |
              |
--------------|---------------------
           external           
             xl1             
        xxx.xxx.xx.xx      
                     
                      
  192.168.1.1    192.168.2.1     
      xl0           fxp0 
    internal     wireless    
-------|-------------|-------------
       |             |
       |            /|\                 \ | /
       |           / | \                 \|/
    switch                                |
  internal Lan                     -------|--------
  192.168.1.0/24                   wireless client
          \                         192.168.2.22
           \                       ---------------
            \
             \
              \
       --------\-------------
            server
       192.168.1.20 port 666
       ----------------------
Quote:
I'm trying to do redirection to ingress traffic hitting my external interface(WAN address) to a server on my LAN.
xl1 - is the external int
xl0 - is the internal int and the gateway for the "server". Private addressing (192.168.1.*)
fxp0 - is another internal interface for my wireless clients. Priv addressing (192.168.2.*)
The server is 192.168.1.20 port 666
I can't seem to access the particular service on port 666 from outside my network or from within my network on fxp0 but I can access it from being on the xl0 network which is the same network that the server is on (Addresses in the 192.168.1.* network)
The rules I gave take care of traffic incoming from the internet to your external/egress interface.

Ingres traffic (192.168.1.0/24 and 192.168.2.0/24) should be able to access your 192.168.1.20 server with normal routing.

And please read http://www.openbsd.dk/faq/pf/rdr.html#reflect that the wireless clients have to either use the 192.168.1.20 address, or that you have to create a split horizon DNS
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote