# PF configuration on a FreeBSD gateway



## cmoivoila (Jan 3, 2012)

Hi, 

First I want to thank every people that will take the time to answer my very stupid questions. To be honest I think my problems are more due to a lack of knowledge than anything else. However, here is my situation:

I built a low power gateway in order to get that setup:

Internet ----- FreeBSD ----- HomeLAN

My goal is to reach HomeLAN from outside (remote desktop on a few computers) and to provide internet access for both surfing and games. I first attempted to do this with IPTABLES, but I really gave up due to the syntax. After that I read about PF and decided to try with it.

We are now a few months later and I have a running NAT on that freebsd FreeBSD gateway that can provide internet to the whole HomeLAN. However, I never managed to get a decent port forwarding. And I'm still stuck out of my network when I try to connect with, for example TightVNC.

Could anyone please tell me what am I doing wrong down there? Here is my basic pf.conf file:

```
internal = "em0"
external = "re0"
antares = "192.168.212.2"

scrub in all

nat on $external from 192.168.212.2 to any -> ($external) static-port
rdr on $external proto tcp from any to $external port 5900 -> $antares port 5900
rdr on $external proto tcp from any to $external port 5800 -> $antares port 5800

pass in quick on $external proto { tcp, udp } from any to $antares port 5900 keep state
pass in quick on $external proto { tcp, udp } from any to $antares port 5800 keep state
pass out quick on $external from any to any
```


Here is my rc.conf file:

```
hostname="Overmind"
ifconfig_re0="DHCP"
ifconfig_em0="inet 192.168.212.1 netmask 255.255.255.0"

#NAT and Packet Forwarding configuration.
gateway_enable="YES"

# NAT rooting with with PF - No port forwarding yet...
pf_enable="YES"
pf_rules="/etc/pf.conf.v2"
pf_flags="" #flags !
pflog_enable="YES"
pflog_profile="/data/var/log/pflog"
pflog_flags=""
```

I really hate asking for help that way but I really don't understand at all what's happening nor what to do. Oh, and please forgive my bad English, I'm a French native and it have been years since I last practiced English seriously.


----------



## SirDice (Jan 4, 2012)

Don't open up VNC to the internet, really, don't. It's not the world's most secure protocol and it's likely someone will try to hack it.

Use SSH with port forwarding, it's much safer and really easy to do.

`$ ssh -L 5800:192.168.212.2:5800 external.address.of.your.internet`
Then connect a VNC-viewer to localhost.


----------



## cmoivoila (Jan 4, 2012)

I agree SirDice, still I'm not able to forward any port through my gateway.
I will take time to learn about the ssh alternative however.

Any suggestion on the configuration files ?
I'm afraid I'm a little lost down there.


----------



## SirDice (Jan 4, 2012)

Your *pf_rules* in /etc/rc.conf is pointing to a different file. Make sure the correct rules are loaded.

The config you posted isn't the best but it should work.


----------



## cmoivoila (Jan 4, 2012)

Yeah, I gave the pf.conf filename by habit, otherwhise the system actually refers to the good file.
Is there any system configuration I might have forgotten so port forwarding wouldn't work ?
I'm a bit worried about how to solve my issue... If I even manage to.


----------



## SirDice (Jan 4, 2012)

Try this one, should be exactly the same only a bit 'cleaner'.


```
internal = "em0"
external = "re0"
vnc = "{5800, 5900}"
antares = "192.168.212.2"

scrub in all

nat on $external from any to any -> ($external)
rdr on $external proto tcp from any to any port 5800 -> $antares port 5800
rdr on $external proto tcp from any to any port 5900 -> $antares port 5900

pass in on $external proto tcp from any to $antares port $vnc keep state

pass in on $internal from any to any keep state
```


----------



## cmoivoila (Jan 4, 2012)

I'm going to try it tonight. Hope it's only a matter of cleaning the configuration file...


----------



## cmoivoila (Jan 4, 2012)

Well it looks like it still doesn't work. NAT rules work, that's why I can post this message, but TightVNC will time out any connection on both HTTP (5800) and VNC (5900) ports leading me to understand that data is not properly passing through my gateway.

Any suggestions? Did I miss something? Maybe I should post my kernel configuration because I customised it a bit?


----------



## vand777 (Jan 4, 2012)

Please try my version. Haven't tested it, so could be surprises  For example, if you are connected via ssh from your home network, then you should add relevent rules to /etc/pf.conf. Maybe you have some other services you need to open in this file. Or alternatively you can remove "block all" line.


```
int_if   = "em0"
ext_if   = "re0"
vnc      = "{ 5800, 5900 }"
antares  = "192.168.212.2"
home_lan = "192.168.212.0/24"

table <firewall>      { self }

scrub in all

###############################################################################
# NAT                                                                         #
###############################################################################

nat on $ext_if inet from <firewall> to !<firewall> -> ($ext_if)
nat on $ext_if inet from $home_lan  to !<firewall> -> ($ext_if)

###############################################################################
# Antares                                                         #
###############################################################################

rdr on $ext_if proto tcp to ($ext_if) port 5800 -> $antares port 5800
rdr on $ext_if proto tcp to ($ext_if) port 5900 -> $antares port 5900

###############################################################################
# block everything by default                                                 #
###############################################################################

block all

###############################################################################
# Antares                                                         #
###############################################################################

pass on $ext_if inet proto tcp to port $vnc keep state

##############################################################################
# pass out this server                                                       #
##############################################################################

pass out inet proto { tcp, udp, icmp } all keep state

##############################################################################
# pass out jails                                                             #
##############################################################################

pass out inet proto { tcp, udp, icmp } from <firewall> to !<firewall> keep state

##############################################################################
# pass out home lan                                                          #
##############################################################################

pass inet proto { tcp, udp, icmp } from $home_lan to !<firewall> keep state

antispoof for $ext_if
antispoof for $int_if
```


----------



## vand777 (Jan 4, 2012)

cmoivoila said:
			
		

> Maybe I should post my kernel configuration because I customised it a bit?



Your kernel configuration does not really matter in this case.


----------



## cmoivoila (Jan 4, 2012)

Oh, I understand the logic and tried this file as this, just adding the "block all" rule as a comment but again, I got a working NAT and no port forwarding. VNC still can't connect.
I'm going to install a quick and dirty webserver in order to try on port 80... Any idea about what's happening? Am I cursed ?


----------



## vand777 (Jan 4, 2012)

Do you have any firewall on 192.168.212.2?


----------



## vand777 (Jan 4, 2012)

Please check what happens to packets with tcpdump. It may help you to find the reason.


----------



## cmoivoila (Jan 4, 2012)

I double checked the 192.168.212.2 host, it's running windows 7 and all the firewall options are disabled.

Also, when I try to SSH the port 5900 from the gateway at 192.168.212.1, it doesn't show the usual "connection refused" message... So basically I think that the gateway can reach my host without a problem.

I'm very new to networks features and even if i'm actually reading the man from tcpdump, I don't really know how to use it.
Going to try some stuff that may sound interresting in order to see what's going wrong...


----------



## vand777 (Jan 4, 2012)

cmoivoila said:
			
		

> I'm very new to networks features and even if i'm actually reading the man from tcpdump, I don't really know how to use it.
> Going to try some stuff that may sound interresting in order to see what's going wrong...



There are a lot of examples of how to use tcpdump. For example, this. 

Hopefully by analysing the traffic you will be able to see whether your packets leave your firewall and are dropped by the 192.168.212.2 host.


----------



## cmoivoila (Jan 4, 2012)

I tried tcpdump -vv -i re0 port 5800 (TightVNC web interface) and tried to connect from a 3G phone.

I got this, and even if I can't understand all of it, I find it very weird...

```
tcpdump -vv -i re0 port 5800
tcpdump: listening on re0, link-type EN10MB (Ethernet), capture size 96 bytes
22:38:50.227402 IP (tos 0x0, ttl 127, id 27051, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->7b5c)!)
    ip-166.net-89-3-210.rev.numericable.fr.5800 > 90.84.144.202.40828: Flags [F.], cksum 0x973c (correct), seq 1322075744, ack 436837746, win 65280, length 0
22:39:36.436663 IP (tos 0x0, ttl 49, id 9397, offset 0, flags [none], proto TCP (6), length 44)
    90.84.144.231.34030 > ip-166.net-89-3-210.rev.numericable.fr.5800: Flags [S], cksum 0x1f58 (correct), seq 451312640, win 12240, options [mss 1360], length 0
22:39:36.436879 IP (tos 0x0, ttl 127, id 27088, offset 0, flags [DF], proto TCP (6), length 44, bad cksum 0 (->7b16)!)
    ip-166.net-89-3-210.rev.numericable.fr.5800 > 90.84.144.231.34030: Flags [S.], cksum 0x5c19 (correct), seq 2702651778, ack 451312641, win 8192, options [mss 1460], length 0
22:39:37.063345 IP (tos 0x0, ttl 49, id 9398, offset 0, flags [none], proto TCP (6), length 40)
    90.84.144.231.34030 > ip-166.net-89-3-210.rev.numericable.fr.5800: Flags [.], cksum 0x6406 (correct), seq 1, ack 1, win 12240, length 0
22:39:37.483413 IP (tos 0x0, ttl 49, id 9399, offset 0, flags [none], proto TCP (6), length 793)
    90.84.144.231.34030 > ip-166.net-89-3-210.rev.numericable.fr.5800: Flags [P.], seq 1:754, ack 1, win 12240, length 753
22:39:37.487521 IP (tos 0x0, ttl 127, id 27091, offset 0, flags [DF], proto TCP (6), length 57, bad cksum 0 (->7b06)!)
    ip-166.net-89-3-210.rev.numericable.fr.5800 > 90.84.144.231.34030: Flags [P.], cksum 0xd209 (correct), seq 1:18, ack 754, win 65280, length 17
22:39:37.498139 IP (tos 0x0, ttl 127, id 27092, offset 0, flags [DF], proto TCP (6), length 327, bad cksum 0 (->79f7)!)
    ip-166.net-89-3-210.rev.numericable.fr.5800 > 90.84.144.231.34030: Flags [P.], seq 18:305, ack 754, win 65280, length 287
22:39:37.498161 IP (tos 0x0, ttl 127, id 27093, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->7b15)!)
    ip-166.net-89-3-210.rev.numericable.fr.5800 > 90.84.144.231.34030: Flags [F.], cksum 0x90b3 (correct), seq 305, ack 754, win 65280, length 0
22:39:37.922866 IP (tos 0x0, ttl 49, id 9400, offset 0, flags [none], proto TCP (6), length 40)
    90.84.144.231.34030 > ip-166.net-89-3-210.rev.numericable.fr.5800: Flags [.], cksum 0x6115 (correct), seq 754, ack 18, win 12223, length 0
22:39:37.922955 IP (tos 0x0, ttl 49, id 9401, offset 0, flags [none], proto TCP (6), length 40)
    90.84.144.231.34030 > ip-166.net-89-3-210.rev.numericable.fr.5800: Flags [.], cksum 0x6103 (correct), seq 754, ack 306, win 11953, length 0
22:39:37.942735 IP (tos 0x0, ttl 49, id 9402, offset 0, flags [none], proto TCP (6), length 40)
    90.84.144.231.34030 > ip-166.net-89-3-210.rev.numericable.fr.5800: Flags [F.], cksum 0x5fe3 (correct), seq 754, ack 306, win 12240, length 0
22:39:37.942887 IP (tos 0x0, ttl 127, id 27096, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->7b12)!)
    ip-166.net-89-3-210.rev.numericable.fr.5800 > 90.84.144.231.34030: Flags [.], cksum 0x90b2 (correct), seq 306, ack 755, win 65280, length 0
22:39:50.234593 IP (tos 0x0, ttl 127, id 27161, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->7aee)!)
    ip-166.net-89-3-210.rev.numericable.fr.5800 > 90.84.144.202.40828: Flags [R.], cksum 0x9639 (correct), seq 1, ack 1, win 0, length 0
^C
13 packets captured
778 packets received by filter
0 packets dropped by kernel
```


----------



## cmoivoila (Jan 4, 2012)

I tried tcpdump -vv -i re0 port 5800 (TightVNC web interface from the external interface re0) and tried to connect from a 3G phone.

I got this, and even if I can't understand all of it, I find it very weird...

```
tcpdump -vv -i re0 port 5800
tcpdump: listening on re0, link-type EN10MB (Ethernet), capture size 96 bytes
22:38:50.227402 IP (tos 0x0, ttl 127, id 27051, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->7b5c)!)
    ip-166.net-89-3-210.rev.numericable.fr.5800 > 90.84.144.202.40828: Flags [F.], cksum 0x973c (correct), seq 1322075744, ack 436837746, win 65280, length 0
22:39:36.436663 IP (tos 0x0, ttl 49, id 9397, offset 0, flags [none], proto TCP (6), length 44)
    90.84.144.231.34030 > ip-166.net-89-3-210.rev.numericable.fr.5800: Flags [S], cksum 0x1f58 (correct), seq 451312640, win 12240, options [mss 1360], length 0
22:39:36.436879 IP (tos 0x0, ttl 127, id 27088, offset 0, flags [DF], proto TCP (6), length 44, bad cksum 0 (->7b16)!)
    ip-166.net-89-3-210.rev.numericable.fr.5800 > 90.84.144.231.34030: Flags [S.], cksum 0x5c19 (correct), seq 2702651778, ack 451312641, win 8192, options [mss 1460], length 0
22:39:37.063345 IP (tos 0x0, ttl 49, id 9398, offset 0, flags [none], proto TCP (6), length 40)
    90.84.144.231.34030 > ip-166.net-89-3-210.rev.numericable.fr.5800: Flags [.], cksum 0x6406 (correct), seq 1, ack 1, win 12240, length 0
22:39:37.483413 IP (tos 0x0, ttl 49, id 9399, offset 0, flags [none], proto TCP (6), length 793)
    90.84.144.231.34030 > ip-166.net-89-3-210.rev.numericable.fr.5800: Flags [P.], seq 1:754, ack 1, win 12240, length 753
22:39:37.487521 IP (tos 0x0, ttl 127, id 27091, offset 0, flags [DF], proto TCP (6), length 57, bad cksum 0 (->7b06)!)
    ip-166.net-89-3-210.rev.numericable.fr.5800 > 90.84.144.231.34030: Flags [P.], cksum 0xd209 (correct), seq 1:18, ack 754, win 65280, length 17
22:39:37.498139 IP (tos 0x0, ttl 127, id 27092, offset 0, flags [DF], proto TCP (6), length 327, bad cksum 0 (->79f7)!)
    ip-166.net-89-3-210.rev.numericable.fr.5800 > 90.84.144.231.34030: Flags [P.], seq 18:305, ack 754, win 65280, length 287
22:39:37.498161 IP (tos 0x0, ttl 127, id 27093, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->7b15)!)
    ip-166.net-89-3-210.rev.numericable.fr.5800 > 90.84.144.231.34030: Flags [F.], cksum 0x90b3 (correct), seq 305, ack 754, win 65280, length 0
22:39:37.922866 IP (tos 0x0, ttl 49, id 9400, offset 0, flags [none], proto TCP (6), length 40)
    90.84.144.231.34030 > ip-166.net-89-3-210.rev.numericable.fr.5800: Flags [.], cksum 0x6115 (correct), seq 754, ack 18, win 12223, length 0
22:39:37.922955 IP (tos 0x0, ttl 49, id 9401, offset 0, flags [none], proto TCP (6), length 40)
    90.84.144.231.34030 > ip-166.net-89-3-210.rev.numericable.fr.5800: Flags [.], cksum 0x6103 (correct), seq 754, ack 306, win 11953, length 0
22:39:37.942735 IP (tos 0x0, ttl 49, id 9402, offset 0, flags [none], proto TCP (6), length 40)
    90.84.144.231.34030 > ip-166.net-89-3-210.rev.numericable.fr.5800: Flags [F.], cksum 0x5fe3 (correct), seq 754, ack 306, win 12240, length 0
22:39:37.942887 IP (tos 0x0, ttl 127, id 27096, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->7b12)!)
    ip-166.net-89-3-210.rev.numericable.fr.5800 > 90.84.144.231.34030: Flags [.], cksum 0x90b2 (correct), seq 306, ack 755, win 65280, length 0
22:39:50.234593 IP (tos 0x0, ttl 127, id 27161, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->7aee)!)
    ip-166.net-89-3-210.rev.numericable.fr.5800 > 90.84.144.202.40828: Flags [R.], cksum 0x9639 (correct), seq 1, ack 1, win 0, length 0
^C
13 packets captured
778 packets received by filter
0 packets dropped by kernel
```

Seeking for more...


----------



## cmoivoila (Jan 4, 2012)

Damn, it seems that I'm not familiar enough with this forum: My message is waiting some moderator approbation.
Here is some more:

When i try to connect from the workstation (192.168.212.2) using my external IP so the packet will likely pass throught the 192.168.212.1 gateway, I go some packets arriving on 5900 port of the workstation.
It looks like this:


```
tcpdump -vv -i em0 port 5900
tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes
22:47:39.104931 IP (tos 0x0, ttl 128, id 29099, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.212.2.49861 > ip-166.net-89-3-210.rev.numericable.fr.5900: Flags [S], cksum 0x36d1 (correct), seq 4075391796, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
22:47:39.104982 IP (tos 0x0, ttl 64, id 3431, offset 0, flags [DF], proto TCP (6), length 40)
    ip-166.net-89-3-210.rev.numericable.fr.5900 > 192.168.212.2.49861: Flags [R.], cksum 0x978a (correct), seq 0, ack 4075391797, win 0, length 0
22:47:39.604772 IP (tos 0x0, ttl 128, id 29100, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.212.2.49861 > ip-166.net-89-3-210.rev.numericable.fr.5900: Flags [S], cksum 0x36d1 (correct), seq 4075391796, win 8192, options [mss 1460,nop,wscale 2,nop,nop,sackOK], length 0
22:47:39.604818 IP (tos 0x0, ttl 64, id 3432, offset 0, flags [DF], proto TCP (6), length 40)
    ip-166.net-89-3-210.rev.numericable.fr.5900 > 192.168.212.2.49861: Flags [R.], cksum 0x978a (correct), seq 0, ack 1, win 0, length 0
22:47:40.104741 IP (tos 0x0, ttl 128, id 29103, offset 0, flags [DF], proto TCP (6), length 48)
    192.168.212.2.49861 > ip-166.net-89-3-210.rev.numericable.fr.5900: Flags [S], cksum 0x4ada (correct), seq 4075391796, win 8192, options [mss 1460,nop,nop,sackOK], length 0
22:47:40.104796 IP (tos 0x0, ttl 64, id 3439, offset 0, flags [DF], proto TCP (6), length 40)
    ip-166.net-89-3-210.rev.numericable.fr.5900 > 192.168.212.2.49861: Flags [R.], cksum 0x978a (correct), seq 0, ack 1, win 0, length 0
^C
6 packets captured
25 packets received by filter
0 packets dropped by kernel
```

However, it seems that TightVNC doesn't get any response because connection fails after 6 packets recieved... Does it means that the answer is lost somewhere in the matrix ?


----------



## cmoivoila (Jan 4, 2012)

Damn, am I an idiot? Please tell me 
A friend of mine out on the internet can connect to port 5900, I just recieved the VNC notification...
Why can't I manage to do loopback connection myself ?


----------



## vand777 (Jan 4, 2012)

Congratulations!


----------



## cmoivoila (Jan 4, 2012)

I have posted a few messages with a lot of text awaiting moderation... If any moderator come by, feel free to delete them.
By the way, Vand777, can you try to explain me why my attempt to connect to AA.BB.CC.DD:5800 (external IP) from my workstation behind my gateway and try to get a loopback VNC connection just fails and keep failing ?
I suppose it's related to firewall rules or NAT but I don't know why... *Feeling really new to networking these times*


----------



## vand777 (Jan 4, 2012)

cmoivoila said:
			
		

> By the way, Vand777, can you try to explain me why my attempt to connect to AA.BB.CC.DD:5800 (external IP) from my workstation behind my gateway and try to get a loopback VNC connection just fails and keep failing ?


I'm not 100% sure but I guess that it happens because your redirect firewall rules are specified for external interface. However, your local request comes through internal interface and your redirect rule becomes completely useless in this case. 

I hope that more experienced people can comment on this question if I'm wrong in my assumptions.


----------



## SirDice (Jan 5, 2012)

Vand777 has the right idea. You can't connect to your 'outside' IP address from the 'inside' of your network. The NAT states will get weird and it'll fail.

_Always_ test those redirect rules from outside of your network.


----------



## cmoivoila (Jan 5, 2012)

I understand the idea. However, on older installations of mine, running a basic connection sharing with a windows XP setup and redirecting ports via a small software, I was able to reach a loopback connection... I suppose this old experience confused me a little.

Is there any possible way to get this "feature" back? I suppose it's nothing more than adding a rule on the internal interface. Seems weird when thinking about it that way.


----------

