# Forwarding all traffic to specific IP



## Coha (Jul 13, 2016)

HI,

I have a specific situation where I need to use BSD as forwarder for all traffic. 
I am having a deployment where my device decrypts SSL traffic and then send it to inline Sandboxing which then returns the traffic to the device. My problem is that I need to have a backup solution when the sandboxing device is offline. 

So I was planing to use FreeBSD to receive all traffic from specific device and return it to the same device. 

The device that I am sending the traffic from is : F5 big IP  IP : 192.168.3.2
 FreeBSD device : 192.168.3.55


Script that I tried to implement : 

```
match in on vio0 from 192.168.3.2 to any rdr-to 192.168.3.2
```
Does not work. 
Any ideas ?


----------



## SirDice (Jul 13, 2016)

You cannot "bounce" packets out the same interface they came in on.


```
Translation rules apply only to packets that pass through the specified
     interface, and if no interface is specified, translation is applied to
     packets on all interfaces.  For instance, redirecting port 80 on an
     external interface to an internal web server will only work for connec-
     tions originating from the outside.  Connections to the address of the
     external interface from local hosts will not be redirected, since such
     packets do not actually pass through the external interface.  Redirec-
     tions cannot reflect packets back through the interface they arrive on,
     they can only be redirected to hosts connected to different interfaces or
     to the firewall itself.
```
From pf.conf(5).


----------



## Coha (Jul 13, 2016)

So if i get it I can add another interface in the internal network and specify that interface for forwarding the packets back?


----------



## SirDice (Jul 13, 2016)

Having two interfaces on the same network is going to cause other issues.


----------



## Coha (Jul 13, 2016)

So do you have an idea how to do this ?


----------



## SirDice (Jul 13, 2016)

Some other solution, but without knowing your network and the traffic flows it's going to be difficult to suggest something. And don't have much experience with the F5 load balancers but it should be fairly easy to configure a failover address for this specific traffic. Let the F5 figure it out, it's what it does.


----------

