|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|||
HELP: pf.conf setting CANNOT do the port-redirection from Internal Network
The Gateway(or NAT server) is build by OpenBSD 6.4
Here is my network: Fixed IPs for both Internal (IP: 10.100.128.254) and External (IP: public IP address for the Internal webserver) IP for the Internal webserver behind the Gateway: 10.100.128.1 All Internal clients are 10.100.128.0/22 Here is the configuration: content of /etc/pf.conf Code:
INT_IF="em1" BLMCSS="10.100.128.0/22" set block-policy drop set loginterface egress set skip on lo match in all scrub (no-df random-id max-mss 1440) match out on egress inet from $INT_IF:network to any nat-to (egress:0) antispoof quick for { egress $INT_IF } block in quick on egress from $BLMCSS to any block return out quick on egress from any to $BLMCSS block all pass out quick inet pass in on $INT_IF proto udp from $BLMCSS to any port { domain ntp } pass in on $INT_IF proto tcp from $BLMCSS to any pass in on egress inet proto tcp from any to (egress) port { 80 443 } rdr-to 10.100.128.1 Clients from OUTSIDE can reach the Internal webserver ==> port-redirection (last line in the pf.conf) works fine Clients form INSIDE CANNOT reach the webserver (tried both public IP and Internal IP) ==> anything missing, pls. HELP Thanks Last edited by ocicat; 13th December 2018 at 09:28 AM. Reason: Please use [code] & [/code] tags when posting file contents. |
|
||||
Hello, and welcome!
Quote:
Code:
{Internet} - [OpenBSD NAT Router] - {10.100.128.0/22} - [clients and webserver] Once you have the internal access problem solved... There are several solutions to have your local clients use the external address (or domain name) to reach the internal server. See the PF User's Guide section that discusses Redirection and Reflection for the various solutions. Last edited by jggimi; 13th December 2018 at 04:20 PM. Reason: clarity |
|
|||
first, thanks for you reply and sorry for my very late response
actually, I'm using the OpenWrt as the gateway and it works fine (NAT+port forwarding, the OpenWrt is built by linux and using the iptables) I'd like to change the OpenBSD as it can take care huge traffic loading In fact, I copy the official example (https://www.openbsd.org/faq/pf/example1.html) and did few modifications. It worked except that the INSIDER cannot connect to the internal webserver However, for the currect OpenWrt, it works perfectly. That means, for the OUTSIDER, it works For the INSIDER, it DOES NOT work for both internal and external IP address of the webserver That why I think, it's not the internal network problem or name resolving problem. My questions are: 1) anyone using the offical example got the same problem as mine? 2) how to modify the pf.conf and get the problem solved? thanks |
|
|||
sorry for my late reply
You're correct. "INSIDER" means all the clients (include the web server). I understand the meaning of "does not involve the router at all". I tested it and it didn't work. Then, I check it with the setting of the web server (which is not configured by us). The web server ONLY accept the request from the "OUTSIDER". That means, the "OUTSIDER" can contact the web server through the Gateway. The "INSIDER" cannot. Thus, the question becomes: For the "INSIDER", how can it go to the Gateway and then redirect to the web server? thanks |
|
||||
I don't have enough information to answer the key question, which I perceive to be:
"Why does the webserver located at 10.100.128.1/22 ignore traffic from any workstation on the 10.100.128.0/22 network?" In your most recent post, you state that the webserver is not in your control, but it is sited on your local network. For all that I know, and based on that statement, the webserver may be configured to block this traffic. If you are unable to determine which solution in the Redirection and Reflection section of the PF User's Guide might be helpful, then please post a network diagram as I recommended in my last response. Otherwise, I can provide no further guidance. Unfortunately, I -- or anyone else -- can only assist you based on the information you are willing and able to provide. |
|
|||
first, sorry to bother you guys and the unclear descriptions
actually, we're a high school in Hong Kong and the government put a webserver (called websams) in our school to do the "admin job" that's why the webserver is located in our school and we don't know what it is. the webserver connected to the Internet by a Gateway which do the port forwarding to the webserver this is suggested by the government (maybe they think it's a kind of protection to the webserver) maybe that's why the webserver responses to the traffic by forwarded by the Gateway ONLY I make a Gateway by a TP-LINK router with firmware OpenWrt it works fine other clients inside the school are using another Gateway to go to the Internet This is built by OpenBSD it works find too we want to (need to) cut down the no. of Gateways and real IP addresses and then the cost Thus, we want to merge these 2 Gateways into 1 by OpenBSD Is it possible to do that? |
|
|||
here is the network topology
Code:
Internet | | ----------------- | hub | ----------------- | | -------------- ------------ | Gateway1 | | Gateway2 | -------------- ------------ | | -------------- ---------------- | webserver | | other clients| -------------- ---------------- other clients: IP:10.100.128.0/22 Gateway1: Internal IP: 10.100.128.254, External IP: 210.0.202.23 (by ISP) Gateway2: Internal IP: 10.100.129.254, External IP: 210.0.202.33 (by ISP) Gateway1: NAT + port-forwarding (http, https) by TP-LINK Gateway2: NAT ONLY by OpenBSD Our Problem: once the Gateway1 is replaced by OpenBSD external clients CAN reach the webserver by port-forwading internal clients CANNOT (tried both 10.100.128.1 and 210.0.202.23) From the builder of the webserver, it can only accept the requests from 210.0.202.23 through port-forwarding Our Task: combine 2 gateways into 1 by OpenBSD AND all clients (internal and external) can reach the webserver by 210.0.202.23 thanks, pls. help Last edited by J65nko; 5th January 2019 at 11:58 AM. Reason: Added [code] and [/code] tags to show your diagram in full glory ;-) |
|
|||
********************
sorry, the diagram shifted 2 Gateways are connected to the HUB separately webserver connect to Gateway1 ONLY other clients connect to Gateway2 ONLY ********************* |
|
||||
Thank you! Your diagram does not match mine, and now I perceive the root cause of the communication difficulty between the webserver and your "insider" network. They are both using the same /22 IP subnet, but the /22 subnet is not a single network. Instead, the subnet contains two separate Ethernet networks. This is a network configuration error.
There are three solutions.
Solution 1 can be implemented without any hardware changes, as it only requires changes to IP addressing and IP routing. It could therefore permit an immediate operational solution while you determine your best long-term solution. Solution 2 will require IP routing governance in order to avoid inadvertent and unnecessary use of the bridge when routing traffic to and from the Internet. The clients should be assigned a default route that does not use the bridge. Additionally, if there are two DHCP servers they will need to be synchronized. Solution 3 could be as simple as a gateway router with two interfaces. The external interface would have two IP addresses -- a primary and an alias address. Please let me know if you need any additional guidance. Last edited by jggimi; 4th January 2019 at 04:32 PM. Reason: typos, additional comments |
|
|||
Thanks for your professional advices
just discussed with our co-workers to make the network simple and easy to maintain we'll keep our current settings sorry to bother all your guys many thanks again |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
port redirection problem in pf | petter | OpenBSD Security | 10 | 10th March 2013 02:38 AM |
Need Help setting up NAT (pf.conf) | wlm2 | OpenBSD Security | 11 | 22nd October 2011 03:47 PM |
OBSD 4.1/NAT port redirection/interception across 7 Class C's | element | OpenBSD Security | 4 | 27th October 2010 08:17 PM |
PF cannot access Internet from internal network | gpatrick | OpenBSD Security | 3 | 29th August 2010 10:59 PM |
Redirect Internal Network to Internal Website | plexter | OpenBSD Security | 12 | 12th February 2009 08:00 PM |