On Sun, 21 Feb 2016, Julian Elischer wrote:
On 20/02/2016 6:22 PM, Valeri Galtsev wrote:
Dear Experts,
I'm one of Linux refugees who several years ago migrated majority of
servers from Linux to FreeBSD and is happy since. When recently I needed
to set up gateway (Firewall + NAT) machine, I set up FreeBSD 10.2 on it,
used ipwf and natd, and all works well, machines behind gateway on LAN can
happily reach real network. I hit one snag later though: When I tried to
redirect TCP traffic on some port to machine on internal private network
behind gateway, whatever I do doesn't work.
Could somebody point to simple example (it doesn't matter which components
are involved, I don't feel married to ipfw and natd) for FreeBSD 10.2 that
makes the machine gateway, and one of the ports of traffic coming from
public network is redirected to machine on private network behind gateway.
Something I can reproduce that works, which I then will gradually convert
into what I need. Other way around: adding redirection to already working
(and a bit sophisticated) gateway I set up appears to be beyond my mental
abilities: a couple of weeks of frustration confirm it to me.
I really do not want to go back to Linux to do this, even though I feel I
can do it based on Linux in a course of an hour or two - I've set up a few
of them in the past using Linux, that's the longest it took me in my
recollection.
this CAN be done but it gets tricky.
usually we do NAT on the external interface. the trouble is that you don't
want that traffic to go through the external interface, but to get routed
back in.
you really should add a special rule group that traps the packets as they
come in on the internal interface and send them to nat if they are destined
for the other internal machine. (and the return packets).
I have never done this so when you work it out let us know :-)
I understood this to be just a standard redirect from the outside
interface to a server inside the LAN. To redirect inside traffic to
that same machine takes another redirect and NAT rule:
nat on $int_if proto tcp from $internal_net to $webserver port 80 -> $int_if
rdr on $int_if proto tcp from $internal_net to $internal_addr port 80 ->
$webserver port 80
Adapted from my rules for a different type of server, so might need
adjustment. Again, this is PF.
_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
