Re: PF port forward problem with Sonicwall VPN

Fri, 28 Jan 2011 01:13:21 -0800 

28.01.2011 10:49, andy thomas пишет:

I'm maintaining some OpenBSD-based firewalls and have been really
stumped with a problem when trying to add a Sonicwall VPN appliance
behind the firewall, and thought I'd ask here for help.

The Sonicwall device uses SSL on port 443 for it's external VPN traffic
and listens on other ports for internal LAN traffic and it uses a single
network interface for this. On our installation, there is a webmail
server behind the firewall listening on port 443 and the existing PF
rule for this is (abbreviated for clarity):

ext_if="vr0"
int_if="vr1"

webmail="192.168.30.14"

rdr pass log on $ext_if proto tcp from any to $ext_if port 443 ->
$webmail port 443

This works fine so as external port 443 is already in use for webmail, I
decided to use external port 444 for the Sonicwall and added these two
extra rules:

sonicwall="192.168.30.28"

rdr pass log on $ext_if proto tcp from any to $ext_if port 444 ->
$sonicwall port 443

However, the Sonicwall cannot be accessed from the external port 444
although it can be accessed internall on port 443 of course. I have


Check your filtering rules on internal interface, may be you have 'pass'
for trafic to webmail host and doesn't for sonicwall?



tested this rule by changing it to point to the webmail server like this:

rdr pass log on $ext_if proto tcp from any to $ext_if port 444 ->
$webmail port 443

and this works fine as I can access webmail on port 444. But why can't I
access the Sonicwall on port 444? Does anyone know if the Sonicwall uses
additional ports or has anyone got this device to with with a PF-based
firewall?

Thanks in advance for any suggestions,

Andy
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"



--
           Sincerely yours,
                            Artyom Viklenko.
-------------------------------------------------------
ar...@aws-net.org.ua | http://www.aws-net.org.ua/~artem
ar...@viklenko.net   | JID: ar...@jabber.aws-net.org.ua
FreeBSD: The Power to Serve   -  http://www.freebsd.org
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"

Reply via email to