# no route to host problem



## mrpsycho (Jul 24, 2013)

hello,

i have problem - i cant configure forwarding ports.

pf config you can see here: http://pastebin.com/xbKhLmVt
ifconfig and routing table: http://pastebin.com/HGRbqJr2

base config i took from calomel...
and here is the problem:
i'm triyng to open ssh port to devcenter host. 
if devcenter is at 192.168.0.0/24 or 192.168.1.0/24 - redirection won't work.
if devcenter is at 192.168.2.0/24 or 192.168.3.0/24 - redirection works.

and i don't understand why?

please help me understand this.

Hello,

I have problem. I can't configure port-forwarding. 

You can see the PF configuration here: http://pastebin.com/xbKhLmVt
`ifconfig` and the routing table: http://pastebin.com/HGRbqJr2

I took the base configuration from calomel and here is the problem. I'm trying to open the SSH port to a devcenter host. If the devcenter is at 192.168.0.0/24 or 192.168.1.0/24 the redirection won't work. If the devcenter is at 192.168.2.0/24 or 192.168.3.0/24 redirection works.

I don't understand why, so please help me understand this.


----------



## J65nko (Aug 1, 2013)

From you pastebin link:


```
vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=82808<VLAN_MTU,WOL_UCAST,WOL_MAGIC,LINKSTATE>
        ether 00:0d:88:b5:be:a6
        inet 82.[color=blue]130.143[/color].32 netmask 0xffffff00 broadcast 82.[color=blue]140.109[/color].255
```
I do not understand how an 82.130.143.32 IP with a 255.255.255.0 netmask can result in a 82.140.109.255 broadcast address.

How does the vr0 interface get this IP address and netmask? How did you configure the vr0 interface in /etc/rc.conf?


----------



## SirDice (Aug 1, 2013)

```
rdr on {$ext, $int} inet proto tcp from any to any port 22 -> $devcenter
```
Translates to:

```
rdr on $int inet proto tcp from any to any port 22 -> $devcenter
rdr on $ext inet proto tcp from any to any port 22 -> $devcenter
```
The first tries to bounce traffic out the same interface it came in on. That's not going to work.

From pf.conf(5):

```
Redirections cannot reflect packets back through the interface they arrive on,
     they can only be redirected to hosts connected to different interfaces or
     to the firewall itself.
```


----------



## mrpsycho (Aug 6, 2013)

J65nko said:
			
		

> How does the vr0 interface get this IP address and netmask? How did you configure the vr0 interface in /etc/rc.conf?



Thank you for looking onto my problem, but it is not error. It is just fake IP to hide my real IP. 
In /etc/rc.conf basic network setup done correctly.


----------



## mrpsycho (Aug 6, 2013)

Thanks!

But now I'm trying to build as simple as possible redirect rule and it doesn't work. Here is my new configuration: http://pastebin.com/KFmh5LLh


----------



## mrpsycho (Aug 16, 2013)

Ok.

I'm continuing to research this problem. I made as simple a configuration as possible:

```
#######      macros
ext_if = "vr0".
int_if = "ale0".
localnet = $int_if:network
webserver = "192.168.0.46"
webports = "{ http, https }"
emailserver = "192.168.1.251"
email = "{ smtp, pop3, imap, imap3, imaps, pop3s }"
nameservers = "{ 192.0.2.221, 192.0.2.223 }"
# simple services
tcp_services = "{ ssh, smtp, domain, http, https }"
udp_services = "{ domain }"
#######      nat and forwards
rdr on $ext_if proto tcp from any to $ext_if port smtp -> $emailserver
rdr on $ext_if proto tcp from any to $ext_if port 22 -> 192.168.1.220 port 22
nat on $ext_if inet proto tcp from $emailserver port smtp to any -> $ext_if.
nat on $ext_if inet proto tcp from 192.168.1.220 port ssh to any -> $ext_if
#######      filtering
block all
pass in inet proto tcp to {$ext_if, $int_if} port { 10022 }
pass out inet from { lo0, $localnet } to any keep state
pass in on $int_if proto tcp from $emailserver to any port smtp
pass in log on $ext_if proto tcp from any to 192.168.1.220 port 22........
pass in on $ext_if proto tcp from any to $emailserver port smtp
```

and now I have the same issue: no route to host 

Please, tell me where I should look?


----------



## SirDice (Aug 16, 2013)

mrpsycho said:
			
		

> ```
> pass out inet from { lo0, $localnet } to any keep state
> ```


Don't allow traffic from lo0. Traffic with 127/8 as a source address should never leave the host. Instead use this:

```
set skip on lo0
```

The rule also translates to:

```
pass out inet from 192.168.0.0/24 to any keep state
```
Because traffic from the host itself will use the external IP address as the source address this rule will not allow traffic from the host itself to the Internet. Hence the "no route to host" messages.


----------



## mrpsycho (Aug 16, 2013)

I found my mistake: I was trying to set up two gateways, but my internal servers were using only one gateway.

Now I tested on one server with the new gateway and found the problem.


----------

