problem with rdr while nat and route-to is active

Sun, 13 Apr 2008 11:30:42 -0700 

Hi all,

I'm a bit stuck with the following setup.

OpenBSD 4.2
4 NICs

lan_if  = 192.168.1.1 -> LAN
up1_if  = 192.168.0.1 -> Router (internet uplink 1)

up2_if  =             -> PPPoE Modem (internet uplink 2)
dmz_if  = 10.0.0.1    -> DMZ (containing just one machine, 10.0.0.2)

What I've got - and is working - is a setup where the LAN connects
with NAT through uplink 1 and the single machine in the DMZ
connects with NAT through uplink 2.

(pf.conf is below)

What I failed to get working is a rdr rule that port forwards incoming
traffic on up2_if port 80 to the machine in the DMZ (10.0.0.2).

I've tried:

rdr pass on $up2_if proto tcp from any to any port 80 -> 10.0.0.2
(I've also added a pass rule apart instead the pass shortcut in rdr, still no success) tcpdumping shows the traffic gets to 10.0.0.2 and even returns to dmz_if, but then gets lost, so that accessing up2_if port 80 from the outside would just 
time out.

I guess the combination of rdr with my natting and route-to is a little
more complicated than just the simple rdr line (as given in the examples)? 
Any ideas?
Tia :)
Chris.
------------------ >8--------------------------------------------------------------------- 
lan_if = "vr0"
up1_if = "vr1"
up2_if = "pppoe0"
dmz_if = "vr3"
lan = "192.168.1.0/24"
dmz = "10.0.0.0/24"
up2_ip = "195.254.232.39"

set block-policy return
set skip on lo
 # MTU for PPPoE
scrub out on $up2_if max-mss 1440 scrub in

 # NAT $lan through $up1_if and $dmz through $up2_if
nat on $up1_if from $lan to any -> ($up1_if)
nat on $up2_if from $dmz to any -> ($up2_if)

 # default policy: allow all outgoing
pass out
 # default policy: deny all incoming
block in
 # antispoof private networks
antispoof quick for { lo $lan_if $dmz_if }
 # allow all incoming pings from any to any
pass in inet proto icmp from any to any icmp-type echoreq
 # immediately allow all incoming from lan
pass in quick on $lan_if
 # mmediately allow all incoming from dmz, routing it to $up2_if
pass in quick on $dmz_if route-to ($up2_if $up2_ip) from any to any
------------------ >8---------------------------------------------------------------------

Reply via email to