Date: Sat, 11 Jul 2009 15:20:12 -0400 From: Dillon Kass <lists@loveturtle.net> Cc: freebsd-pf@freebsd.org Subject: Re: Extremely simple redirect rule doesnt appear to be working Message-ID: <4A58E5EC.1020905@loveturtle.net> In-Reply-To: <4A4F0992.8090906@simplenet.com> References: <4A4D2010.4020908@simplenet.com> <4A4DE199.4010701@andric.com> <4A4F0992.8090906@simplenet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
It's hard to say exactly what is happening here without more information but here is the likely scenario. What is most likely happening is simple but a little tricky to notice. Your rdr rule is likely working fine. For the sake of this example lets just say that your lan is 192.168.0.0/24 your router is 192.168.0.1 the machine you want to forward to is 192.168.0.2 and your computer is 192.168.0.100 So lets say you have your rdr rule as follows rdr pass inet proto tcp from any to 209.131.36.158 port 80 -> 192.168.0.2 port 80 This rule is probably working just fine, this is most likely what is happening. Your computer is 192.168.0.100 and you send a request to 209.131.36.158 which is redirected to 192.168.0.2, 192.168.0.2 recives a request with the source ip of 192.168.0.100 and responds directly to you. This is the problem. You send a packet to 209.131.36.158 You get a response from 192.168.0.2, the packet is then dropped because your computer has no idea why 192.168.0.2 is sending you what would appear to be random crap. Install something like trafshow and open it up and attempt to connect again, look for two things. look at pfctl -vsr and see if your rule is being hit, and look at the output of trafshow and see if you're getting tcp traffic directly from the ip you're forwarding to. If you are than this is your problem. You should be able to use some fancy nat magic in pf so that the forwarded packet has a different source address (not from the same subnet) which will cause your 192.168.0.2 to send it's packet back to the router instead of directly to your 192.168.0.100 lan machine. On the way back through the router you can use some more fancy nat magic to rewrite the replys source ip to be 209.131.36.158 instead of 192.168.0.2.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4A58E5EC.1020905>