Your problem, as I stated off list, is that you are rdr to and from hosts on the same subnet. These are all 10.10/16 addresses. 10.10.100.254 is an address on the firewall
Here's what's happening. 10.10.0.135.4552 -> 10.10.100.254.81 Which get's switched to 10.10.0.135.4552 -> 10.10.0.2.81 Then 0.2 replies directly back to 0.135 because it's local, skipping your firewall 10.10.0.2.81 -> 10.10.0.135.4552 This is by passing your firewall and messing you up. 0.135 knows nothing about this 0.2 guy. It didn't connect to him. It's looking for a reply from 100.254 > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Ricardo Augusto de Souza > Sent: Tuesday, September 23, 2008 3:40 PM > To: [email protected] > Subject: RES: PF cannot RDR connections > > No one can help me on this? > I have just one hour to finish this 'job'. > > -----Mensagem original----- > De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome > de Ricardo > Augusto de Souza > Enviada em: terga-feira, 23 de setembro de 2008 16:21 > Para: [email protected] > Assunto: RES: PF cannot RDR connections > > I am lost. > Nat is working but I cant do any single rdr. > Any clue? > > > -----Mensagem original----- > De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome > de > Ricardo > Augusto de Souza > Enviada em: terga-feira, 23 de setembro de 2008 13:31 > Para: [email protected] > Assunto: RES: PF cannot RDR connections > > I was monitoring tcpdump -i xl0, disabled pf and I try to access > http://10.10.100.254:81 and I saw this: > > 13:30:38.976708 10.10.100.254.81 > 10.10.0.135.2321: R 0:0(0) ack 1 > win > 0 > (DF) > 13:30:40.007811 802.1d RSTP config > flags=7c<LEARNING,FORWARDING,AGREED> > role=DESIGNATED root=8000.0:f:cb:56:80:a0 rootcost=20004 > bridge=8000.0:1e:c1:27:b0:80 port=9 ifcost=128 age=2/0 max=20/0 > hello=2/0 > fwdelay=15/0 > > 13:32:20.254337 10.10.100.254.81 > 10.10.0.135.2331: R 0:0(0) ack > 2046899144 > win 0 (DF) > 13:32:20.699272 10.10.0.135.2331 > 10.10.100.254.81: S > 2046899143:2046899143(0) win 65535 <mss 1460,nop,nop,sackOK> (DF) > 13:32:20.699297 10.10.100.254.81 > 10.10.0.135.2331: R 0:0(0) ack 1 > win > 0 > (DF) > 13:32:21.181005 10.10.100.254 > 10.10.0.135: icmp: echo reply > 13:32:21.202344 10.10.0.135.2331 > 10.10.100.254.81: S > 2046899143:2046899143(0) win 65535 <mss 1460,nop,nop,sackOK> (DF) > 13:32:21.202368 10.10.100.254.81 > 10.10.0.135.2331: R 0:0(0) ack 1 > win > 0 > (DF) > > Now I turn pf on and I got this: > # tcpdump -i xl0|grep 81 > tcpdump: listening on xl0, link-type EN10MB > 13:34:44.554439 10.10.0.135.2378 > 10.10.100.254.81: S > 3759662737:3759662737(0) win 65535 <mss 1460,nop,nop,sackOK> (DF) > 13:34:47.497787 10.10.0.135.2378 > 10.10.100.254.81: S > 3759662737:3759662737(0) win 65535 <mss 1460,nop,nop,sackOK> (DF) > 13:34:49.816656 10.10.0.48.netbios-ns > 10.10.255.255.netbios-ns: > udp 50 > 13:34:52.226812 10.10.100.254 > 10.10.0.135: icmp: echo reply > 13:34:53.434122 10.10.0.135.2378 > 10.10.100.254.81: S > 3759662737:3759662737(0) win 65535 <mss 1460,nop,nop,sackOK> (DF) > > Help me please folks, I need this rdr working TODAY. > > Thanks in advance! > > -----Mensagem original----- > De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Em nome > de > Ricardo > Augusto de Souza > Enviada em: terga-feira, 23 de setembro de 2008 11:30 > Para: [email protected] > Assunto: PF cannot RDR connections > > I was used to do this easily but it4s failing now. > > > > Xl0 = 10.10.100.254 > > Xl1=internet > > > > This is my /etc/pf.conf > > > > # interface externa WAN > > ext_if="xl1" > > # interface interna LAN > > int_if="xl0" > > #set skip on lo > > #scrub in > > rdr on xl1 proto tcp from any to xl1 port 8101 -> 10.10.100.21 port > 8101 > > rdr on xl0 proto tcp from any to 10.10.100.254 port 81 -> 10.10.0.2 > port > 80 > > # > > # NAT > > # > > #nat on $ext_if from !($ext_if) -> ($ext_if:0) > > nat on $ext_if from 10.10.0.0/16 -> $ext_if > > pass in all > > pass out all > > #pass quick on $int_if no state > > #antispoof quick for { lo $int_if } > > > > > > Note: > > > > I can access http://10.10.0.2 > > It fails when I try to access http://10.10.100.254:81 > > What4s wrong folks? > > > > > > # pfctl -sn > > nat on xl1 inet from 10.10.0.0/16 to any -> 200.162.41.34 > > rdr on xl1 inet proto tcp from any to 200.162.41.34 port = 8101 -> > 10.10.100.21 port 8101 > > rdr on xl0 inet proto tcp from any to 10.10.100.254 port = 81 -> > 10.10.0.2 > port 80 > > # > > > > > > # dmesg > > OpenBSD 4.3 (CMT) #1: Mon Sep 22 15:25:18 BRT 2008 > > [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/CMT > > cpu0: Intel(R) Pentium(R) 4 CPU 2.13GHz ("GenuineIntel" 686-class) > 2.13 > GHz > > cpu0: > FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,P > SE36, > CF > LUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS- > CPL,CNXT-ID,C > X16,x > TPR > > real mem = 1072697344 (1023MB) > > avail mem = 1033314304 (985MB) > > mainbus0 at root > > bios0 at mainbus0: AT/286+ BIOS, date 06/16/05, BIOS32 rev. 0 @ > 0xfd5b6, > SMBIOS rev. 2.33 @ > 0x3ff77000 > (46 entries) > > bios0: vendor IBM version "-[KEE134AUS-1.34]-" date 06/16/2005 > > bios0: IBM CORPORATION -[84824RU]- > > bios0: ROM list: 0xc0000/0x9000 0xc9000/0x1000 0xca000/0x1000 > 0xcb000/0x9c00 > 0xd 5000/0x2000 > 0xd7000/0x2000 > 0xd9000/0x800 0xd9800/0x800 > > cpu0 at mainbus0 > > pci0 at mainbus0 bus 0: configuration mode 1 (no bios) > > pchb0 at pci0 dev 0 function 0 "Intel 82875P Host" rev 0x02 > > ppb0 at pci0 dev 3 function 0 "Intel 82875P CSA" rev 0x02 > > pci1 at ppb0 bus 2 > > em0 at pci1 dev 1 function 0 "Intel PRO/1000CT (82547GI)" rev 0x00: > irq > 5, > addre ss > 00:11:25:7f:86:28 > > ppb1 at pci0 dev 28 function 0 "Intel 6300ESB PCIX" rev 0x02 > > pci2 at ppb1 bus 3 > > bge0 at pci2 dev 1 function 0 "Broadcom BCM5703 Alt" rev 0x10, > BCM5703 > B0 > (0x110 0): irq 11, > address > 00:10:18:16:14:1b > > brgphy0 at bge0 phy 1: BCM5703 10/100/1000baseT PHY, rev. 3 > > bge1 at pci2 dev 2 function 0 "Broadcom BCM5703 Alt" rev 0x10, > BCM5703 > B0 > (0x110 0): irq 11, > address > 00:10:18:16:0e:8a > > brgphy1 at bge1 phy 1: BCM5703 10/100/1000baseT PHY, rev. 3 > > ahd0 at pci2 dev 4 function 0 vendor "Adaptec", unknown product > 0x808f > rev > 0x10: irq 11 > > ahd0: aic7901, U320 Wide Channel A, SCSI Id=7, PCI-X 50-66MHz, 512 > SCBs > > scsibus0 at ahd0: 16 targets > > sd0 at scsibus0 targ 0 lun 0: <IBM-ESXS, VPR036W3-ETS10FN, S370> > SCSI2 > 0/direct fixed > > sd0: 34715MB, 34401 cyl, 3 head, 688 sec, 512 bytes/sec, 71096640 > sec > total > > sd1 at scsibus0 targ 6 lun 0: <IBM-ESXS, VPR036W3-ETS10FN, S370> > SCSI2 > 0/direct fixed > > sd1: 34715MB, 34401 cyl, 3 head, 688 sec, 512 bytes/sec, 71096640 > sec > total > > uhci0 at pci0 dev 29 function 0 "Intel 6300ESB USB" rev 0x02: irq > 11 > > uhci1 at pci0 dev 29 function 1 "Intel 6300ESB USB" rev 0x02: irq 5 > > "Intel 6300ESB WDT" rev 0x02 at pci0 dev 29 function 4 not > configured > > "Intel 6300ESB APIC" rev 0x02 at pci0 dev 29 function 5 not > configured > > ehci0 at pci0 dev 29 function 7 "Intel 6300ESB USB" rev 0x02: irq > 11 > > usb0 at ehci0: USB revision 2.0 > > uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1 > > ppb2 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0x0a > > pci3 at ppb2 bus 4 > > vga0 at pci3 dev 2 function 0 "ATI Radeon VE QY" rev 0x00 > > wsdisplay0 at vga0 mux 1: console (80x25, vt100 emulation) > > wsdisplay0: screen 1-5 added (80x25, vt100 emulation) > > xl0 at pci3 dev 7 function 0 "3Com 3c905C 100Base-TX" rev 0x78: irq > 5, > address > 0 0:0a:5e:63:7e:2e > > exphy0 at xl0 phy 24: 3Com internal media interface > > xl1 at pci3 dev 8 function 0 "3Com 3c905C 100Base-TX" rev 0x78: irq > 11, > address > 00:0a:5e:63:7d:72 > > exphy1 at xl1 phy 24: 3Com internal media interface > > ichpcib0 at pci0 dev 31 function 0 "Intel 6300ESB LPC" rev 0x02: > 24-bit > timer > at 3579545Hz > > pciide0 at pci0 dev 31 function 1 "Intel 6300ESB IDE" rev 0x02: > DMA, > channel > 0 > c onfigured to > compatibility, > channel 1 configured to compatibility > > atapiscsi0 at pciide0 channel 0 drive 0 > > scsibus1 at atapiscsi0: 2 targets > > cd0 at scsibus1 targ 0 lun 0: <HL-DT-ST, DVD-RAM GSA-H58N, 1.01> > SCSI0 > 5/cdrom > r emovable > > cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 > > pciide0: channel 1 disabled (no drives) > > pciide1 at pci0 dev 31 function 2 "Intel 6300ESB SATA" rev 0x02: > DMA, > channel > 0 configured to > native-PCI, > channel 1 configured to native-PCI > > pciide1: using irq 5 for native-PCI interrupt > > ichiic0 at pci0 dev 31 function 3 "Intel 6300ESB SMBus" rev 0x02: > irq 5 > > iic0 at ichiic0 > > admtm0 at iic0 addr 0x2d: 47m192 > > adt0 at iic0 addr 0x2e: adm1027 rev 0x6a > > spdmem0 at iic0 addr 0x50: 512MB DDR SDRAM ECC PC3200CL3.0 > > spdmem1 at iic0 addr 0x51: 512MB DDR SDRAM ECC PC3200CL3.0 > > usb1 at uhci0: USB revision 1.0 > > uhub1 at usb1 "Intel UHCI root hub" rev 1.00/1.00 addr 1 > > usb2 at uhci1: USB revision 1.0 > > uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1 > > isa0 at ichpcib0 > > isadma0 at isa0 > > pckbc0 at isa0 port 0x60/5 > > pckbd0 at pckbc0 (kbd slot) > > pckbc0: using irq 1 for kbd slot > > wskbd0 at pckbd0: console keyboard, using wsdisplay0 > > pcppi0 at isa0 port 0x61 > > spkr0 at pcppi0 > > midi0 at pcppi0: <PC speaker> > > lpt0 at isa0 port 0x378/4 irq 7 > > npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 > > pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo > > pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo > > fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 > > fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec > > biomask ff65 netmask ff65 ttymask ffe7 > > mtrr: Pentium Pro MTRR support > > softraid0 at root > > ahd0: target 0 synchronous with period = 0x8, offset = > 0x7f(RDSTRM|DT|IU|RTI|QAS > ) > > ahd0: target 6 synchronous with period = 0x8, offset = > 0x7f(RDSTRM|DT|IU|RTI|QAS > ) > > root on sd0a swap on sd0b dump on sd0b > > #
