On 2015-08-19, Sonic <[email protected]> wrote: > On Fri, Aug 14, 2015 at 3:20 AM, Stuart Henderson <[email protected]> > wrote: >> Config for this would be fairly similar to this example: >> http://www.openbsd.org/faq/pf/rdr.html#rdrnat > > I'm guessing you mean this example (?). >========================================== > With an additional NAT rule on the internal interface, the lacking > source address translation described above can be achieved. > > pass in on $int_if proto tcp from $int_net to $ext_if port 80 \ > rdr-to $server > pass out on $int_if proto tcp to $server port 80 \ > received-on $int_if nat-to $int_if >==========================================
Yes. > I've tried a few different twists on it but without success so far. As > I'm coming in from the outside and need to appear that I'm inside. As > it's written "This construct is rather complex". It's not *that* complex. It may be easier with tag rather than received-on and if there's any confusion about rule ordering it may be easier to use 'quick' and place them at the top of the ruleset. pass in quick proto tcp to $ext_if port 1234 rdr-to $server port 80 tag natrdr pass out quick tagged natrdr nat-to $int_if If it doesn't work, add logging - "match log(matches) ..." in conjunction with monitoring pflog0 with tcpdump is very useful - and use tcpdump on the various interfaces to check that IP addresses are as you expect.
