Hi Jinge,

Nice that you have it working with ipfw.

I have no hands-on experience with FreeBSD9 and those divert-to rules. Reading their explanation led me to expect it should be able to work, and resolve the issue of needing 2 firewalls pf&ipfw simultaneously.

As Joris also writes you should probably not redirect all traffic that flows from any-to-any, but only that what was originally already going to the proper destination port so any-to-any2222.

So possibly something like this: pass in quick on vlan64 inet proto tcp from any to any port 2222 divert-to port 2222

If this can actually work, i currently do not know.. My only FreeBSD 9 pf knowledge is from reading its manual..... So cant help with that.
If you do manage to get the divert-to working please do share it with us.

Greets PiBa-NL

Op 12-7-2013 7:37, jinge schreef:
Hi PiBa-NL,

I just follow your advice and find my pf configure is not correct

rdr on vlan64 proto tcp from any to any -> port 2222

And I change to ipfw and fwd then it works corrently.

ipfw add fwd,2222 tcp from any to any via vlan64 in

And you tell my I can use pf's divert-to, but after a test I found it doesn't work.Here is the configure

pass in quick on vlan64 inet proto tcp from any to any divert-to port 2222

So can your tell my the right configure?
Thank you.


On 2013-7-11, at 下午12:07, jinge <altman87...@gmail.com <mailto:altman87...@gmail.com>> wrote:

Hi PiBa-NL,

Thanks for your reply!
And I will follow your advice!


On 2013-7-10, at 上午4:25, PiBa-NL <piba.nl....@gmail.com <mailto:piba.nl....@gmail.com>> wrote:

Hi Jinge,

Im not exactly sure how this is supposed to work.. did manage to get transparent proxy for the server side working.. (the server is presented with a connection from original client ip.) This works with haproxy 1.5dev19 on FreeBSD8.3 with help of some ipfw fwd rules..

Your config also seams to be working (used some parts their-of to test..)

Did require the following ipfw rule for me..:
    ipfw add 90 fwd localhost tcp from any to any 2222 in recv em1
Actually on pfSense it also needs "-x haproxy" as it is a bit customized.. And because i run 'ipfw' combined with 'pf' i also needed to configure pf with floating 'pass on match' rules to allow the 'strange traffic'.. That pf cannot handle..

If you however have FreeBSD 9 you might want to look into the divert-to rules that pf can make. Might make stuff simpler if it turns out to work..

Please report back your required settings (&config if it changes) when you manage to get it working.

Greetings PiBa-NL

Op 9-7-2013 12:55, jinge schreef:

We use haproxy and FreeBSD for our cache system. And we want to use the transparent option http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4-option%20transparent which for some compatiable things.
But found it doest work. Here is the configure which worked in Ubuntu.

frontend tcp-in
        bind :2222
        mode tcp
        log global
        option tcplog

        #distingush HTTP and non-HTTP
        tcp-request inspect-delay 30s
        tcp-request content accept if HTTP

        default_backend Direct

backend Direct
        mode tcp
        log global
        option tcplog
        no option httpclose
        no option http-server-close
        no option accept-invalid-http-response
        option transparent

Can anyone tell my if is the FreeBSD can not support transparent here or my configure is not correct ? And how to make transparent work right.



Reply via email to