# firewall redirection to tap interface



## bbzz (May 27, 2013)

I'm running a virtual network connected to a tap0 interface (169.254.0.0/24). A virtual router running on dynamips is connected to 169.254.0.2. 

I am able to connect to it from the host server itself, even with different local IP addresses. What I can't do is redirect outside connected with pf to the tap0 interface. 

tcpdump shows redirection to 169.254.0.2:22 ssh on the virtual router, but tcpdump running on tap0 doesn't show anything.

What am I missing?


----------



## kpa (May 27, 2013)

Avoid using the 169.254.0.0/16 netblock for anything like this, it is reserved for IPv4 link local addresses and addresses from that block may not work outside the intended application. Use a /24 address block out of 10.0.0.0/8, something like 10.x.y.0/24 where x and y are random numbers of your choise.


----------



## bbzz (May 28, 2013)

Thanks,

I'm pretty sure that's not the issue here, I've chose*n* that range purposely. The problem arises with pf redirection to the virtual interface, and it works with other firewalls.


----------



## _martin (May 30, 2013)

I too personally don't like when somebody answers me with a question, so sorry for that  

But is there a specific reason why you use tap device for that? Why don't you create a custom loopback interface on host and connect all devices through that ? If needed you can NAT on loN, or you can attach dynamips to a physical egress interface on host.


----------

