DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 13th December 2018
sw.mok sw.mok is offline
New User
 
Join Date: Nov 2018
Posts: 7
Unhappy HELP: pf.conf setting CANNOT do the port-redirection from Internal Network

The Gateway(or NAT server) is build by OpenBSD 6.4

Here is my network:
Fixed IPs for both Internal (IP: 10.100.128.254) and External (IP: public IP address for the Internal webserver)
IP for the Internal webserver behind the Gateway: 10.100.128.1
All Internal clients are 10.100.128.0/22

Here is the configuration:
content of /etc/pf.conf
Code:
INT_IF="em1"
BLMCSS="10.100.128.0/22"

set block-policy drop
set loginterface egress
set skip on lo

match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from $INT_IF:network to any nat-to (egress:0)

antispoof quick for { egress $INT_IF }
block in quick on egress from $BLMCSS to any
block return out quick on egress from any to $BLMCSS

block all
pass out quick inet

pass in on $INT_IF proto udp from $BLMCSS to any port { domain ntp }
pass in on $INT_IF proto tcp from $BLMCSS to any

pass in on egress inet proto tcp from any to (egress) port { 80 443 } rdr-to 10.100.128.1
All the Internal clients can go to the Internal ==> NAT works fine
Clients from OUTSIDE can reach the Internal webserver ==> port-redirection (last line in the pf.conf) works fine
Clients form INSIDE CANNOT reach the webserver (tried both public IP and Internal IP) ==> anything missing, pls. HELP

Thanks

Last edited by ocicat; 13th December 2018 at 09:28 AM. Reason: Please use [code] & [/code] tags when posting file contents.
Reply With Quote
  #2   (View Single Post)  
Old 13th December 2018
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,422
Default

Hello, and welcome!
Quote:
Originally Posted by sw.mok View Post
...Clients form INSIDE CANNOT reach the webserver (tried both public IP and Internal IP)....
I perceive the topology to be:
Code:
{Internet} - [OpenBSD NAT Router] - {10.100.128.0/22} - [clients and webserver]
If the network is configured in this manner, then local access from clients to the webserver at 10.100.128.1 occurs on the 10.100.128.0/22 subnet. That form of access is direct. It does not involve the router or this PF configuration. Either I have misunderstood the configuration, or, perhaps address resolution for your local clients is the external address, and not the internal address (10.100.128.1) that you described in your post.

Once you have the internal access problem solved...

There are several solutions to have your local clients use the external address (or domain name) to reach the internal server. See the PF User's Guide section that discusses Redirection and Reflection for the various solutions.

Last edited by jggimi; 13th December 2018 at 04:20 PM. Reason: clarity
Reply With Quote
  #3   (View Single Post)  
Old 4 Weeks Ago
sw.mok sw.mok is offline
New User
 
Join Date: Nov 2018
Posts: 7
Default

first, thanks for you reply and sorry for my very late response

actually, I'm using the OpenWrt as the gateway and it works fine (NAT+port forwarding, the OpenWrt is built by linux and using the iptables)
I'd like to change the OpenBSD as it can take care huge traffic loading

In fact, I copy the official example
(https://www.openbsd.org/faq/pf/example1.html)
and did few modifications.
It worked except that the INSIDER cannot connect to the internal webserver

However, for the currect OpenWrt, it works perfectly.
That means, for the OUTSIDER, it works
For the INSIDER, it DOES NOT work for both internal and external IP address of the webserver
That why I think, it's not the internal network problem or name resolving problem.

My questions are:
1) anyone using the offical example got the same problem as mine?
2) how to modify the pf.conf and get the problem solved?

thanks
Reply With Quote
  #4   (View Single Post)  
Old 4 Weeks Ago
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,422
Default

Provide an ASCII diagram of your network. My diagram MUST be wrong. In my diagram, your "INSIDER" workstations are on the same subnet as your internal web server, and therefore the traffic between the workstations and the web server does not involve the router at all.
Reply With Quote
  #5   (View Single Post)  
Old 2 Weeks Ago
sw.mok sw.mok is offline
New User
 
Join Date: Nov 2018
Posts: 7
Default

sorry for my late reply
You're correct. "INSIDER" means all the clients (include the web server).
I understand the meaning of "does not involve the router at all".
I tested it and it didn't work.
Then, I check it with the setting of the web server (which is not configured by us).
The web server ONLY accept the request from the "OUTSIDER".
That means, the "OUTSIDER" can contact the web server through the Gateway.
The "INSIDER" cannot.
Thus, the question becomes:

For the "INSIDER", how can it go to the Gateway and then redirect to the web server?

thanks
Reply With Quote
  #6   (View Single Post)  
Old 2 Weeks Ago
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,422
Default

I don't have enough information to answer the key question, which I perceive to be:

"Why does the webserver located at 10.100.128.1/22 ignore traffic from any workstation on the 10.100.128.0/22 network?"

In your most recent post, you state that the webserver is not in your control, but it is sited on your local network. For all that I know, and based on that statement, the webserver may be configured to block this traffic.

If you are unable to determine which solution in the Redirection and Reflection section of the PF User's Guide might be helpful, then please post a network diagram as I recommended in my last response. Otherwise, I can provide no further guidance. Unfortunately, I -- or anyone else -- can only assist you based on the information you are willing and able to provide.
Reply With Quote
  #7   (View Single Post)  
Old 2 Weeks Ago
sw.mok sw.mok is offline
New User
 
Join Date: Nov 2018
Posts: 7
Default

first, sorry to bother you guys and the unclear descriptions

actually, we're a high school in Hong Kong and the government put a webserver (called websams) in our school to do the "admin job"
that's why the webserver is located in our school and we don't know what it is.
the webserver connected to the Internet by a Gateway which do the port forwarding to the webserver
this is suggested by the government (maybe they think it's a kind of protection to the webserver)
maybe that's why the webserver responses to the traffic by forwarded by the Gateway ONLY
I make a Gateway by a TP-LINK router with firmware OpenWrt
it works fine

other clients inside the school are using another Gateway to go to the Internet
This is built by OpenBSD
it works find too

we want to (need to) cut down the no. of Gateways and real IP addresses and then the cost
Thus, we want to merge these 2 Gateways into 1 by OpenBSD

Is it possible to do that?
Reply With Quote
  #8   (View Single Post)  
Old 2 Weeks Ago
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,422
Default

Quote:
Originally Posted by sw.mok View Post
we want to (need to) cut down the no. of Gateways and real IP addresses and then the cost
Thus, we want to merge these 2 Gateways into 1 by OpenBSD

Is it possible to do that?
I don't know, because you have not clearly defined your current network topology for me.
Reply With Quote
  #9   (View Single Post)  
Old 2 Weeks Ago
sw.mok sw.mok is offline
New User
 
Join Date: Nov 2018
Posts: 7
Default

here is the network topology

Code:
			Internet
			|
			|
		-----------------
		| hub           |
		-----------------
		  |          |
	--------------     ------------
	| Gateway1   |     | Gateway2 |
        --------------     ------------
            |                  |
        --------------     ----------------
        | webserver  |     | other clients|
        --------------     ----------------
webserver: IP:10.100.128.1
other clients: IP:10.100.128.0/22
Gateway1: Internal IP: 10.100.128.254, External IP: 210.0.202.23 (by ISP)
Gateway2: Internal IP: 10.100.129.254, External IP: 210.0.202.33 (by ISP)
Gateway1: NAT + port-forwarding (http, https) by TP-LINK
Gateway2: NAT ONLY by OpenBSD

Our Problem: once the Gateway1 is replaced by OpenBSD
external clients CAN reach the webserver by port-forwading
internal clients CANNOT (tried both 10.100.128.1 and 210.0.202.23)
From the builder of the webserver, it can only accept the requests from 210.0.202.23 through port-forwarding

Our Task: combine 2 gateways into 1 by OpenBSD
AND all clients (internal and external) can reach the webserver by 210.0.202.23

thanks, pls. help

Last edited by J65nko; 1 Week Ago at 11:58 AM. Reason: Added [code] and [/code] tags to show your diagram in full glory ;-)
Reply With Quote
Old 2 Weeks Ago
sw.mok sw.mok is offline
New User
 
Join Date: Nov 2018
Posts: 7
Default

********************
sorry, the diagram shifted
2 Gateways are connected to the HUB separately
webserver connect to Gateway1 ONLY
other clients connect to Gateway2 ONLY
*********************
Reply With Quote
Old 2 Weeks Ago
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,422
Default

Thank you! Your diagram does not match mine, and now I perceive the root cause of the communication difficulty between the webserver and your "insider" network. They are both using the same /22 IP subnet, but the /22 subnet is not a single network. Instead, the subnet contains two separate Ethernet networks. This is a network configuration error.

There are three solutions.
  1. Map the two separate Ethernet networks so that each has its own, distinct IP subnet. This only requires the authority to revise the network configuration of both gateways, and any DHCP servers used in your environment.
  2. Bridge the two Ethernet networks together into a single network. This requires additional network interfaces on the gateways, and the authority to revise the network configuration of both gateways.
  3. Use a single gateway. Of course, this must be permitted by the administrative or regulatory authority that deploys the webserver.
Edited to add:

Solution 1 can be implemented without any hardware changes, as it only requires changes to IP addressing and IP routing. It could therefore permit an immediate operational solution while you determine your best long-term solution.

Solution 2 will require IP routing governance in order to avoid inadvertent and unnecessary use of the bridge when routing traffic to and from the Internet. The clients should be assigned a default route that does not use the bridge. Additionally, if there are two DHCP servers they will need to be synchronized.

Solution 3 could be as simple as a gateway router with two interfaces. The external interface would have two IP addresses -- a primary and an alias address.

Please let me know if you need any additional guidance.

Last edited by jggimi; 2 Weeks Ago at 04:32 PM. Reason: typos, additional comments
Reply With Quote
Old 1 Week Ago
sw.mok sw.mok is offline
New User
 
Join Date: Nov 2018
Posts: 7
Default

Thanks for your professional advices
just discussed with our co-workers
to make the network simple and easy to maintain
we'll keep our current settings

sorry to bother all your guys

many thanks again
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
port redirection problem in pf petter OpenBSD Security 10 10th March 2013 02:38 AM
Need Help setting up NAT (pf.conf) wlm2 OpenBSD Security 11 22nd October 2011 03:47 PM
OBSD 4.1/NAT port redirection/interception across 7 Class C's element OpenBSD Security 4 27th October 2010 08:17 PM
PF cannot access Internet from internal network gpatrick OpenBSD Security 3 29th August 2010 10:59 PM
Redirect Internal Network to Internal Website plexter OpenBSD Security 12 12th February 2009 08:00 PM


All times are GMT. The time now is 12:43 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick