Thanks of your reply. It does still not work. I can't see any data leaving the mirror to the server.
Nothing is blocked in pflog0 and tcpdump does not show any connections to 74.125.43.99 This is my pf.conf ---- [snipp]---- # Macro admin= "{ xxx xxx }" ext_if= "{ vic0 }" client= "{ 10.10.15.30 }" mirror= "{ 10.40.20.5 }" server= "{ 74.125.43.99 }" # Rules block in log pass quick on lo0 pass out keep state pass in from $client to $mirror rdr-to $server tag mirrored pass out tagged mirrored nat-to $mirror block in log inet proto icmp to self icmp-type redir pass in inet proto icmp from $admin to self pass in proto tcp from $admin to self port ssh ---- [/snipp]---- 74.125.43.99 is a ordinary Google server for search that I'm using for my test. I'm trying to use http and targeting mirror from a browser. I should see outgoing connections from mirror to server but there is only data between client and mirror. This is a short tcpdump of a http request # tcpdump -n not port ssh tcpdump: listening on vic0, link-type EN10MB 10:49:09.509062 10.10.15.30.44142 > 10.40.20.5.80: S 341929812:341929812(0) win 64240 <mss 1380,sackOK,timestamp 83797170 0,nop,wscale 3> [tos 0x88] 10:49:16.307710 10.10.15.30.44142 > 10.40.20.5.80: S 341929812:341929812(0) win 64240 <mss 1380,sackOK,timestamp 83797770 0,nop,wscale 3> [tos 0x88] 10:49:28.269764 10.10.15.30.43624 > 10.40.20.5.80: S 677212245:677212245(0) win 64240 <mss 1380,sackOK,timestamp 83799022 0,nop,wscale 3> [tos 0x88] 10:49:31.003629 10.10.15.30.43624 > 10.40.20.5.80: S 677212245:677212245(0) win 64240 <mss 1380,sackOK,timestamp 83799322 0,nop,wscale 3> [tos 0x88] There is nothing that are blocked in plflog0 at the same time This is the running pf rules # pfctl -srules block drop in log all pass quick on lo0 all flags S/SA keep state pass out all flags S/SA keep state pass in inet from 10.10.15.30 to 10.40.20.5 flags S/SA keep state tag mirrored rdr-to 74.125.43.99 pass out inet all flags S/SA keep state tagged mirrored nat-to 10.40.20.5 block drop in log inet proto icmp from any to 127.0.0.1 icmp-type redir block drop in log inet proto icmp from any to 10.40.20.5 icmp-type redir pass in inet proto icmp from xx to 127.0.0.1 keep state pass in inet proto icmp from xx to 10.40.20.5 keep state pass in inet proto icmp from xx to 127.0.0.1 keep state pass in inet proto icmp from xx to 10.40.20.5 keep state pass in inet proto tcp from xx to 127.0.0.1 port = ssh flags S/SA keep state pass in inet proto tcp from xx to 10.40.20.5 port = ssh flags S/SA keep state pass in inet proto tcp from xx to 127.0.0.1 port = ssh flags S/SA keep state pass in inet proto tcp fromxx to 10.40.20.5 port = ssh flags S/SA keep state Thanks for trying helping me. Best regards 2011/4/8 Stuart Henderson <s...@spacehopper.org>: > On 2011-04-07, rancor <theran...@gmail.com> wrote: >> I want to reflect all IP from a client to a server via another machine >> called mirror. client and server can't access each other and there is >> nothing I can do about that. How ever the mirror can access both >> client and server so I want all traffic from client to mirror be >> reflected to server and all responses from the server should be >> reflected back to the client via the mirror. > > this is probably the simplest way: > > pass in from $client to $mirror rdr-to $server tag mirrored > pass out tagged mirrored nat-to $mirror > > if someone has time to write this up for www/faq/pf/rdr.html, > please send me a diff. > > also related: binat-to (*without* setting the interface) also > happens to put rules in place which allow you to connect from a > client in the same subnet as the server. (credit to phessler for > this tip).