[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

OBSD 3.1 NAT configuration question

I have my firewall setup as follows: internal net <-> dc1 <-> dc0 <-> external wildspace/internet

Up until now, I've just had a simple rule set for NAT:

nat on dc0 from to any -> dc0

Now, however, I want to map certain udp ports on the external interface dc0 
to go to a specific machine behind the firewall. For this example, the 
ports will be 7500 through 7800, and 22000, and the target machine is

I've tried using rdr to get this working, but the traffic doesn't seem to 
be making it. Part of the problem seems to be that the client software 
involved (a commercial app) seems to be sending udp packets back to the 
target machine on the udp port that it contacted the remote server with. In 
other words, the remote server is sending packets back to port 58000 on the 
firewall because the outgoing NAT port was 58000, instead of the specified 
port 22000. (According to the specs, it should be communicating on port 
22000 instead of a floating port.)

I thought that this might be because of my pf rules, which have a keep 
state for outgoing udp packets. So I dropped udp out of the outgoing keep 
state picture, but I still see incoming packets from the remote server on 
whatever external udp port was used to contact the remote server.

So what I'm wondering is if my internal NAT config line ("nat on dc0 from to any -> dc0") is essentially competing with the rdr lines 
("rdr on dc0 proto udp from any to dc0 port 7500:7800 -> port 
7500:*" and "rdr on dc0 proto udp from any to dc0 port 22000 -> port 22000"). Perhaps packets are never getting as far as the 
rdr lines?

In another attempt to get this working, I've also tried to use binat, but I 
have only gotten syntax errors from pfctl complaining about the binat line 
(which I've copied almost verbatim from the nat.conf man page).

Any thoughts? Thanks.