# pf.conf rdr to internal interface



## hac3ru (Jan 28, 2013)

First of all: hello.

The requirement: I want to redirect all traffic from 172.23.15.0/24 to 172.23.1.1 for example. I tried 
	
	



```
rdr on $int_if from 172.23.15.1/24 to any port 80 -> 172.23.1.1 port 80 but it doesn't work.
```
 I have read a bit about pf.conf and it seems that it cannot rdr on the same interface. What I am thinking now: an alias. Will using an alias as an interface work?

I am using an older version of FreeBSD (5.4). I know it's old and all that. I'm planning on upgrading to the latest FreeBSD version but I cannot afford to do that now because I am not allowed to bring the network down for a couple of hours.

So, thanks in advance and have a nice evening.


----------



## J65nko (Jan 28, 2013)

I am not well versed in pf archeology, but IIRC you still should pass or allow the redirected traffic. The redirection alone does not tell pf to allow or pass:


```
rdr [color=blue]pass[/color] on $int_if from 172.23.15.1/24 to any port 80 -> 172.23.1.1 port 80
```


----------



## hac3ru (Jan 28, 2013)

```
21:09:50.458177 IP 172.23.1.7.64570 > 172.23.1.1.80: S 3706285212:3706285212(0) win 8192 <mss 1460,nop,nop,sackOK>
21:09:50.458789 IP 172.23.1.7.64570 > 172.23.1.1.80: R 3706285213:3706285213(0) win 0
```
That's what I get on the redirected machine if I try to access it from mine. I tried with rdr PASS quick but it's still the same thing. As far as *I* can see, it seems that the redirection is being done but there's something else stopping me from accessing the 172.23.1.1 (window size=0). If *I* try to access 1.1 directly from the web browser, it works. I have also tried 
	
	



```
pass quick from 172.23.1.7 to 172.23.1.1
pass quick from 172.23.1.1 to 172.23.1.7
```
Not working.

TCPDUMP from 172.23.0.1

```
21:09:41.483146 IP 172.23.1.7.64570 > 172.23.0.1.8080: S 3706285212:3706285212(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
21:09:44.481232 IP 172.23.1.7.64570 > 172.23.0.1.8080: S 3706285212:3706285212(0) win 8192 <mss 1460,nop,wscale 2,nop,nop,sackOK>
21:09:50.483609 IP 172.23.1.7.64570 > 172.23.0.1.8080: S 3706285212:3706285212(0) win 8192 <mss 1460,nop,nop,sackOK>
```
So it seems that 0.1 receives the packets but won't redirect them properly.
Any other ideas?


----------



## J65nko (Jan 28, 2013)

The server replies with a TCP RESET on receiving the first packet of the 3 way TCP handshake (SYN flag only). In "normal" cases this means that there is no program/daemon LISTENing on the that port.


Without more details, like the topology of your network, output of the relevant ifconfig, netstat -rn -f inet, netstat -an -f inet commands it is very difficult to diagnose what is going on.

*Which port?*
Which port is the server LISTENing on? Port 80 or 8080?


----------



## gkontos (Jan 28, 2013)

You do realize that the tcpdump() examples are irrelevant from your original rule.


----------



## hac3ru (Jan 28, 2013)

J65nko said:
			
		

> The server replies with a TCP RESET on receiving the first packet of the 3 way TCP handshake (SYN flag only). In "normal" cases this means that there is no program/daemon LISTENing on the that port.
> 
> 
> Without more details, like the topology of your network, output of the relevant ifconfig, netstat -rn -f inet, netstat -an -f inet commands it is very difficult to diagnose what is going on.
> ...



The server is listening on port 80. Star topology... Anyways. If *yo*u know any other way of redirecting traffic from 172.23.15.1/24 to 172.23.1.1 I`m all for it 

As I said, if I try to access 172.23.1.1 directly it works. I can see the website correctly, so the apache service is running, on default port, 80...

If *yo*u need more details please tell me.


----------



## J65nko (Jan 28, 2013)

This is all I can figure out ....

```
webserver
                                     172.23.1.1/??
              |
              |
              |
+-------------|------------+
|      xxx.xxx.xxx.xxx/xx  | 
|                          |
|         FreeBSD 5.4      |
|           pf             |
|                          |
|        172.23.15.1/??    |
+-------------|------------+
              |
              |
              |
       +------|-----+
       |   switch   |
       +-|----------+ 
         |
         |
         |
         |
         |
         |
     workstation 
    172.23.1.7/??
```

Try to walk in our moccasins and fill in the missing details


----------



## hac3ru (Jan 28, 2013)

```
|      NET     |
               +--------------+
                      |
                      |
                      |
           +--------------------+
           |   FreeBSD Server   |
           |   IP:172.23.0.1    |
           +--------------------+
                       |
                       |
                       |
+---------------------------------------------------------+
|                    SWITCH                               |
|                                                         |
|                                                         |
|                                                         |
+--|------------|----------------|--------------|-------|-+
   |            |                |              |       |
   |            |                |              |       |
   |            |                |              |       |
{  |            |         WORKSTATIONS          |       |          }
{172.23.1.1/20 172.23.1.2/20  172.23.1.7/20   so on  172.23.15.254 }
{                                                                  }
```
172.23.1.1 is in network 172.23.0.0/20.
I want to redirect traffic from 172.23.15.0/24 to 172.23.1.1


----------



## gkontos (Jan 28, 2013)

hac3ru said:
			
		

> ```
> |      NET     |
> +--------------+
> |
> ...



172.23.0.0/20 is consisted from 172.23.0.0-172.23.15.255. If you are not separating them into different vlans then you can not do that because they all belong to the same network.


----------



## hac3ru (Jan 28, 2013)

Ok then, I want to redirect 172.23.16.1/24 to 172.23.1.1... How can I do it?
Creating another subnet is not a problem.


----------



## redw0lfx (Jan 28, 2013)

Like gkontos stated. You need to either 1) separate the networks into vlans which are tied together by the firewall, 2) add specific route rules to the switch if its a managed switch, or 3) Add custom routing rules to your DHCP server to hand to the DHCP clients (if using DHCP).  Apart from that, the switch will see the 172.23.15.0/24 as belonging to network 172.23.0.0/20  and route directly to the destination host bypassing any firewalls.


----------



## gkontos (Jan 29, 2013)

hac3ru said:
			
		

> Ok then, I want to redirect 172.23.16.1/24 to 172.23.1.1... How can I do it?
> Creating another subnet is not a problem.



Are you trying to force http traffic over a transparent proxy?


----------



## hac3ru (Jan 29, 2013)

Yes.
I just want it redirected....

What I want to do is, getting all workstations from 172.23.16.0/24 to get redirected to the main website which contains informations about network, our business, and so on... That`s why I need it.
I created another subnet (172.23.16.0/24 as I mentioned earlier) and now I guess I have to create a route from 172.23.16.0/24 to 172.23.0.0/20 ?

Latest Updates:

I created an alias with IP Address 172.23.16.1, mask 255.255.255.0
I added a static route to /etc/rc.conf 

```
route_internal="-inet 172.23.16.0/24 172.23.16.1"
```
I can access 172.23.0.0/20 for 10 minutes after i restart the FreeBSD Server. After that, it's all silenced. I can`t even ping from FreeBSD (172.23.16.1 alias) to workstation (172.23.16.238)... Why is this happening?

Later Edit:
I cannot even ping 172.23.16.255 (broadcast address of the 2nd subnet). Not from the FreeBSD server nor the workstations... What's happening with it?
I created the 2nd subnet by editing dhcpd.conf

```
subnet 172.23.16.0 netmask 255.255.255.0
{
default-lease-time 600
option routers 172.23.16.1
option broadcast-address 172.23.16.255
option subnet-mask 255.255.255.0
option domain-name "internal_net"
allow unknown-clients
}
```


----------



## gkontos (Jan 29, 2013)

An alias must have /32 subnet mask.

The redirect should take place at the gateway. In your case it will lead to asymmetric routing because the machine you are trying to redirect to is aware of 172.23.0.0/20 thus it will reply back directly and not via the gateway.

A quick and dirty solution is to give that machine (webserver) an alias IP outside the scope of your network. That way you would force it to contact the gateway for all traffic. 


```
rdr pass on $int_if from 172.23.15.1/24 to any port 80 -> 192.168.0.1 port 80
```

Of course, you will need to add a static route to your gateway for 192.168.0.1

In any case, you should try implementing proper layer3 switching because your network will be impossible to troubleshoot.


----------



## kisscool-fr (Jan 29, 2013)

There is one more possiblity. It's dirty but it works. 

You can find in pf doc a section that explain how to redirect traffic with nc. Should do the trick.


----------



## hac3ru (Jan 29, 2013)

kisscool-fr said:
			
		

> There is one more possiblity. It's dirty but it works.
> 
> You can find in pf doc a section that explain how to redirect traffic with nc. Should do the trick.



NC? I read the pf help page but couldn't see anything useful... ?

Not working to create a virtual network - 192.168.0.0/30 - and routing traffic from 172.23.16.0/24 to 192.168.0.2 (Webserver)

And I just figured out a major mistake... It won't be enough to redirect traffic to my web server. I need people to see the index on my server when they try to access the web...


----------



## J65nko (Jan 29, 2013)

You can add a third NIC to your FreeBSD pf firewall box. Connect the web server to this NIC.  

Now you can redirect the traffic entering on the internal NIC to the web server. Now the return or answer packets from the web server will be sent out on the internal NIC back to your internal LAN.

That is how I would do it  

BTW this kind of setup is called a DMZ.


----------



## hac3ru (Jan 30, 2013)

J65nko said:
			
		

> You can add a third NIC to your FreeBSD pf firewall box. Connect the web server to this NIC.
> 
> Now you can redirect the traffic entering on the internal NIC to the web server. Now the return or answer packets from the web server will be sent out on the internal NIC back to your internal LAN.
> 
> ...



I thought about that and that's probably how I'll do it eventually. Still, I said that it doesn't hurt to ask about redirecting through the firewall instead of adding another NIC. If I add another NIC to the FreeBSD, I'll configure it with an internal IP (192.168.10.1 for example), connect the webserver to it, with ip (192.168.10.2 let's say) and write a rule into pf.conf 

```
rdr on $int_if from 172.23.16.0/24 to any port 80 -> 192.168.10.2 port 80
```
and another rule to rdr the old ip of the webserver (172.23.1.1) because everyone knows about that, to 192.168.10.2 so if anyone tries to access the old ip, it'll get redirected to 192.168.10.2

```
rdr on $int_if from 172.23.0.0/20 to 172.23.1.1 port auto -> 192.168.10.2 port auto
```
I have a ftp server on that, and more so I need to rdr from IPs original port to 192.168.10.2 original port.
I got that right?


----------



## gkontos (Jan 30, 2013)

Don't you think that it would be wiser to divide 3823 IPv4 addresses into smaller networks?

Don't you think that it would also be wiser to segregate those networks into zones?


Draw your network as it is now.
Plan your network as it should be, different divisions, outside / inside servers, VPN access points.
Get the necessary equipment and use LATEST stable OS versions.
Implement a vital and secure solution.

In your case, for a /20 network, I would not use less than 2 firewalls OR an internal switch with FW for distribution and an external FW.


----------



## kisscool-fr (Jan 30, 2013)

hac3ru said:
			
		

> NC? I read the pf help page but couldn't see anything useful... ?
> 
> Not working to create a virtual network - 192.168.0.0/30 - and routing traffic from 172.23.16.0/24 to 192.168.0.2 (Webserver)



NC is for netcat. There is a chapter in the pf documentation page for redirection and reflection.

http://www.openbsd.org/faq/pf/rdr.html#reflect



			
				hac3ru said:
			
		

> And I just figured out a major mistake... It won't be enough to redirect traffic to my web server. *I need people to see the index on my server when they try to access the web...*



And how are they supposed to access to the web ? 

Do you have a proxy, do you have a captive portale ?


----------



## hac3ru (Jan 30, 2013)

kisscool-fr said:
			
		

> NC is for netcat. There is a chapter in the pf documentation page for redirection and reflection.
> 
> http://www.openbsd.org/faq/pf/rdr.html#reflect
> 
> ...



Thank you for the link. // Edit: I have read that but, the server is running a very old FreeBSD version that doesn't support rdr-to and other solutions written in there...

They`re not supposed to access the web. That's the idea. When they try to access the web to see my page.

No, I don`t have a proxy.


I will divide my network when I'll change the OS. I want to update it but atm I cannot shut it down for 2 - 3 or more hours needed to install the new OS...


----------



## kisscool-fr (Jan 30, 2013)

hac3ru said:
			
		

> Thank you for the link. // Edit: I have read that but, the server is running a very old FreeBSD version that doesn't support rdr-to and other solutions written in there...
> 
> They`re not supposed to access the web. That's the idea. When they try to access the web to see my page.
> 
> ...



The documentation is for official OpenBSD pf. I posted the link just for the idea. You have to write pf rules accordingly to FreeBSD version. You can search the forum, the subject was already discussed here.


----------

