Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
P
P
patashnik2012-05-08 23:04:22
FreeBSD
patashnik, 2012-05-08 23:04:22

FreeBSD, Packet filter (PF) and port forwarding?

Standard situation: local network 192.168.1.0/24 (interface em0), provider network, FreeBSD/PF gateway (192.168.1.1). This gateway receives the Internet through a vpn connection with the provider (interface ng0, external IP address "X" is issued). The gateway has NAT rules configured to allow the Internet to work from the local network.
nat on ng0 from em0 to any -> (ng0)
There is a rule that redirects all external connections from the Internet on port 80 to the appropriate web server 192.168.1.2

rdr on ng0 proto tcp from any to "X" port 80 -> 192.168.1.2

It is not possible to make port forwarding work when accessed from the internal network at the external address "X". Any ideas?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
D
DmZ, 2012-05-09
@patashnik

It has been discussed more than once. Read how NAT works and what it is for.

The router wraps everything correctly, it just won’t work in this case:
  • A packet arrives from the world (assume 8.8.8.8 -> 80.*.*.*), the router dnats it to a local address (8.8.8.8 -> 192.168.1.33), the webserver receives a request from 8.8.8.8 and sends a response back to the router (default route), the router passes the packet back through nat and sends it out to the world;
  • If a packet arrives from a local location (let's say 192.168.1.2 -> 80.*.*.*), the router dangles it to the local address (192.168.1.2 -> 192.168.1.33), the webserver receives a request from 192.168.1.2 and sends a response back to LOCAL network, computer 192.168.1.2 does not receive the expected response from 80.*.*.* and considers the response from 192.168.1.33 invalid, since it did not send a request there. Resp. TCP connection is not established.


( from here )
If you want to do it with NAT, then the packets coming from em0 to X need to be sent to the em0 address so that the web server responds to the router, and not directly to the local area.
nat on em0 proto tcp from 192.168.1.0/24 to 192.168.1.2 port 80 -> (em0)

Or you can raise net/bounce locally, set it to listen on 127.0.0.1:8080->192.168.1.2:80 and replace the redirect with:
rdr on ng0 proto tcp from any to "X" port 80 -> 127.0.0.1 port 8080

Similar questions
V
Val2015-05-12 06:08:31
Configuring ppp in FreeBSD for 2 or more links? 4Reply
K
kirawa2015-05-29 16:10:29
How to close access to "vk" in Freebsd? 3Reply
I
Ivan Semenov2017-05-25 12:49:51
How to fix make install on FreeBSD? 2Reply
S
Smoke User2021-04-26 11:15:15
How to make a forwarded port address open on pfSense in LAN? 1Reply
A
Axelertortt2015-07-14 09:17:43
How in vn_rdwr, VOP_ACCESS to implement before writing to a file? 0Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question