# PacketFilter NAT & RDR



## slam2 (Apr 19, 2011)

Hello

I post this message here to ask for help on Packet Filter. Please forgive me primarily for my English deplorable fact that our friend Google just allows me to translate.

I contact you because I want to parameterize packet filter so I can connect an external IP network to a server that operates locally (Unable to run external)

I look at NAT and RDR, but nothing has given ..

Here's my setup:

> Network :

```
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 08:00:27:2a:de:51
        inet 192.168.1.85 netmask 0xffffff00 broadcast 192.168.1.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
        inet6 ::1 prefixlen 128
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
```

> Rc.conf


```
gateway_enable="YES"
ifconfig_em0="inet 192.168.1.85  netmask 255.255.255.0"
defaultrouter="192.168.1.1"
```

Thank you very much!

_PS: My local network runs on an address like: 192.168.1.x - 255.255.255.0_


----------



## DutchDaemon (Apr 19, 2011)

Post your current pf.conf.


----------



## slam2 (Apr 19, 2011)

My current pf.conf


```
# Interface entrante
etho = 'em0'
tcpflags = 'flags S/SAFR'

#Ports
pServer1   = '1102'
pServer2   = '1000'
pServer3   = '1001'

# Options
set block-policy return
set loginterface $etho
set skip on lo0
scrub in all

### Tables
table <http_abuse> persist
table <server_abuse> persist

rdr on $etho inet proto {tcp,udp} from any to any -> 192.168.1.85
nat on $etho inet proto {tcp,udp} from any to any -> $etho

# DROP - Ip BlacklistÃ©
block drop in quick on $etho proto tcp from { <http_abuse>, <server_abuse>} to any

### RÃ¨gles
#RÃ¨gle de base && blocage
block all
block in quick from urpf-failed

# INPUT - RÃ¨gles de paramÃ¨trages
pass in quick log on $etho inet proto tcp from any to $etho port ssh $tcpflags synproxy state
pass in quick log on $etho inet proto tcp from any to $etho port www $tcpflags synproxy state
pass in quick log on $etho inet proto tcp from any to $etho port {$pServer1,$pServer2,$pServer3} $tcpflags synproxy state

# OUTPUT - RÃ¨gles de paramÃ¨trages
pass out quick on $etho inet proto tcp from $etho to any port domain modulate state
pass out quick on $etho inet proto tcp from $etho to any port www modulate state
pass out quick log on $etho inet proto tcp from $etho to any port {$pServer1,$pServer2,$pServer3} $tcpflags modulate state
```


----------



## slam2 (Apr 21, 2011)

I keep looking on my side, nothing works .. I am completely disoriented. Thank you for your help


----------



## SirDice (Apr 21, 2011)

Your machine has a private IP address. That means you are probably behind a router that does the NAT for you. If you want to access a webserver for example from the internet you will have to forward ports on your router.


----------



## slam2 (Apr 21, 2011)

Hello,

Yes I am behind a router, I agree, most of my ports are Forwarded. The only problem is the application of game server, which launches this BIND only via the Network address of the machine. Among other things, someone outside the network that can connect but not access the games, because the maps allow connections only from the address class C. Among other things, 192.168.1.x..

What is very problematic for a person from outside .. On or Allowing NAT & PF RDR connection via the external IP address for the switch to Internal. And the same reverse process, to make it to the game server's external IP.

It is very complex, but I hope you understand the desired direction of PF rules put in place.

Thank you!


----------



## SirDice (Apr 21, 2011)

The issue isn't with FreeBSD but with the game and/or your router.


----------



## slam2 (Apr 21, 2011)

For the game server, if it is hosted on a dedicated server, the address range is operational so that all connections "Internet" that can connect to said game server.

If the game server is local, it is the local address range. Not possible to connect to it from an external connection.

That is why I seek a way around the problem.


----------



## quintessence (Apr 28, 2011)

Hello,

As already *SirDice* wrote, your NAT & RDR rules have to be made on your router, not on the local PC where game (game server is).

For example if you want to play "local games in network", you can use some software like Garena or GameRanger (better one) or other. There you can set custom ports which the software will use, and on your router you have to make then RDR rules.

For example (RDR rules from my old pf.conf)


```
# garena
#rdr pass on $ext_if proto { tcp, udp } from any to $ext_if port 1513 -> $laptop

# game ranger
rdr pass on $ext_if proto udp from any to $ext_if port 16000 -> $laptop port 16000
```

Which allows me to "host" a game on my laptop, to be a "master host" and play it via such software, people from the "internet" also have to have the software installed, but does not need this RDRs if they are not playing as a "master host".


----------

