# Need help for pf NAT redrection



## hshh (Feb 22, 2012)

Hi,

I am using PF for NAT. There is a https server in the internal network, IP 172.16.0.250, I need port forward to make any internet user to access it.

With pf rule, 
	
	



```
rdr on $ext_if inet proto tcp from any to ($ext_if) port 443 -> 172.16.0.250
```
 It only works for an internet user outside NAT, not an internal user. The internal users inside NAT access external IP:443 failed, because DNS is set to external IP.

Googled for a long time, it seems a pf NAT redirection problem, but I can't find out any solution in freebsd FreeBSD. Any idea?

OS: FreeBSD 9.0-RELEASE

```
## pf.conf
ext_if="bce0"
int_if="bce3"
office="172.16/12"
no nat on $ext_if proto gre from any to any
nat on $ext_if inet from $office to any -> $ext_if
rdr on $ext_if inet proto tcp from any to ($ext_if) port 443 -> 172.16.0.250
pass all
```


----------



## SirDice (Feb 22, 2012)

You can't bounce packets out of the same interface they came in.

Simple solution? Split DNS. Use a local DNS with local addresses on your internal network.


----------



## kisscool-fr (Feb 22, 2012)

Like SirDice said, you can't connect to a server that is in the same netwotk as your client via pf NAT. 

There is some explanation here about this problem and some solutions. The cleanest is DNS split but there are others that sould do the job.


----------



## hshh (Feb 22, 2012)

kisscool-fr said:
			
		

> Like SirDice said, you can't connect to a server that is in the same netwotk that your client via pf nat.
> 
> There is some explanation here about this problem and some solutions. The cleanest is dns split but there are other that sould do the job.



I have read that article, that's for openbsd OpeBSD, not freebsd FreeBSD. There is no syntax about rdr-to, received-on or nat-to in freebsd FreeBSD's pf. The problem also called NAT loopback, there is a solution for other firewalls, I hope freebsd FreeBSD pf can do it.


----------



## kisscool-fr (Feb 22, 2012)

Yeah, that's right. FreeBSD's pf syntax is old style. But ... 

You can add a line like this in your /etc/inetd.conf 


```
5000 stream tcp nowait proxy /usr/bin/nc nc -w 20 172.16.0.250 443
```

and start inetd. 

Then at the end of your /etc/pf.conf replace "pass all" by 


```
rdr on $int_if from $int_if:network to ($ext_if) port 443 -> 127.0.0.1 port 5000
pass all
pass in quick on $int_if from $int_if:network to ($ext_if) port 443
```


If I'm not wrong, it should do the trick


----------



## hshh (Feb 22, 2012)

Thanks kisscool-fr.
According to your tips, now I solved this problem. I changed to use net/portfwd to prevent nc fork from inetd always.


----------

