# Problem with redirect



## SacamantecaS (Sep 22, 2011)

Hello

I have a server connected to the public network (em0) and internal (em1). On this server I have created jails for different services: web server, dns, etc. These jails have private ip, linked to the internal interface. I try to redirect the traffic from the external ip to internal ip of the jail, but I see no traffic in the jail. I do not understand what can go wrong, as I've tried many settings and I've even done the setup again, but does not redirect traffic to the jail. Does anyone can guide me? 


```
srv02# sysctl -a | grep forward
kern.smp.forward_signal_enabled: 1
net.inet.ip.forwarding: 1
net.inet.ip.fastforwarding: 0
net.inet6.ip6.forwarding: 0
```

rc.conf

```
srv02# cat /etc/rc.conf
defaultrouter="188.X.X.X"
#static_routes="internal"
#route_internal="-net 10.0.0.0/8 10.0.10.1"

ifconfig_em0="inet 188.X.X.X netmask 255.255.255.0"
ifconfig_em0_alias0="inet 188.X.X.X netmask 255.255.255.0"

ifconfig_em1="inet 10.0.10.1 netmask 255.0.0.0"
ifconfig_em1_alias0="inet 10.21.1.1 netmask 255.0.0.0"
ifconfig_em1_alias0="inet 10.20.10.1 netmask 255.0.0.0"

cloned_interfaces="carp0"
ifconfig_carp0="vhid 1 pass foo advskew 10 188.X.X.22 netmask 255.255.255.0"

ipv6_enable="YES"
hostname="srv01.firw.local"
gateway_enable="YES"

sshd_enable="YES"
pf_enable="YES"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
ezjail_enable="YES"
```

pf.conf

```
# Interfaces
extif="em0"
intif="em1"
carpo="carp0"
carp0_ip="188.X.X.22"

intnet="{ 10.0.0.0/8 }"
webserver="188.X.X.22"
table <privnets> const { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }

icmp_types="echoreq"

set block-policy drop
set loginterface $extif
set skip on lo0

nat on $extif from $intif:network to any -> $extif

#HTTP, HTTPS
rdr on $extif proto {tcp, udp} from any to $webserver port {http, https} -> 10.20.10.1
rdr on $carpo proto {tcp, udp} from any to $webserver port {http, https} -> 10.20.10.1

block in log all
#pass quick on lo0 all
block in quick from urpf-failed
antispoof log quick for { $intif, $extif }

block drop quick on $extif from <privnets> to any
block drop quick on $extif from any to <privnets>

# WebServer jail HA
#pass in log on $extif inet proto tcp from any to $intif:network port { http, https } synproxy state
#pass out log on $intif inet proto tcp from any to $intif:network port { http, https } keep state
#pass in log on $extif inet proto tcp from any to $webserver port { http, https } synproxy state
#pass out log on $intif inet proto tcp from any to $extif port { http, https } keep state

pass in log on $extif proto { tcp, udp } from any to $intif:network port { http, https } flags S/SA synproxy state
pass in log on $carpo proto { tcp, udp } from any to $intif:network port { http, https } flags S/SA synproxy state
pass in log on $extif proto { tcp, udp } from any to $webserver port { http, https } flags S/SA synproxy state
pass in log on $carpo proto { tcp, udp } from any to $webserver port { http, https } flags S/SA synproxy state
pass in log on $intif proto { tcp, udp } from any to 10.20.10.1 port { http, https } flags S/SA synproxy state

pass in inet proto icmp all icmp-type $icmp_types keep state

pass in quick on $intif from $intif:network to any keep state
pass out quick on $intif from any to $intif:network keep state

pass out on $extif proto tcp all flags S/SA modulate state
pass out on $extif all keep state
```

Thanks !

Regards


----------



## DutchDaemon (Sep 22, 2011)

To start off:



> ```
> ifconfig_em0="inet 188.X.X.X netmask 255.255.255.0"
> ifconfig_em0_alias0="inet 188.X.X.X netmask [color="Red"]255.255.255.0"[/color]
> 
> ...





> ```
> ifconfig_em1="inet 10.0.10.1 netmask 255.0.0.0"
> ifconfig_em1_alias0="inet 10.21.1.1 netmask [color="Red"]255.0.0.0[/color]"
> 
> ...


----------



## SacamantecaS (Sep 26, 2011)

Hello

Yes, my provider has it divided into ranges of /24.

I realized that I had the alias repeated twice, even putting it well, I do the redirect properly, and do not know where to look: (. With tcpdump I see nothing in the log of pf.

I thought it had to be range /8 to have the largest number of networks, just to try an online calculator and it returns me:


```
Address:     	10.0.0.1        00001010. 00000000.00000000.00000001
Netmask: 	255.0.0.0 = 8 	11111111. 00000000.00000000.00000000
Wildcard: 	0.255.255.255 	00000000. 11111111.11111111.11111111
=>
Network:     	10.0.0.0/8      00001010. 00000000.00000000.00000000
HostMin: 	10.0.0.1 	00001010. 00000000.00000000.00000001
HostMax: 	10.255.255.254 	00001010. 11111111.11111111.11111110
Broadcast: 	10.255.255.255 	00001010. 11111111.11111111.11111111
Hosts/Net: 	16777214 	Class A, Private Internet
```

Thanks !

Regards


----------



## SacamantecaS (Sep 26, 2011)

Hi

Solved !

Change rule:
*rdr on ....*
to 
*rdr pass on ...*

Many times you have the bug front and you can not see ... Thanks !

Regards


----------

