I have a network router that connects three networks with the outside world. One of the internal networks is public facing the other two are not and connected via NAT. I am part of a larger network and the router has the ip 1.2.3.1
in that larger network, but this ip cannot connect to the outside and only traffic from external_net
is allowed.
I now want to do port forwarding on the router ip to ssh on a machine in the nat. I am using pf on a freebsd.
My pf.conf
is:
#define network macros
uplink_iface = "igb4"
external_iface = "igb3"
l_iface = "igb5"
i_iface = "igb2"
d_iface = "igb1"
external_host = "1.2.3.1/32"
external_net = "1.2.4.0/25"
l_net = $l_iface:network
i_net = $i_iface:network
d_net = $d_iface:network
set skip on lo0
# tell the sender that they are running into pf
set block-policy return
# do not keep states unnecessarily long
set optimization aggressive
#Nat config
nat on $uplink_iface from $l_net to any -> $external_host
nat on $uplink_iface from $i_net to any -> $external_host
nat on $uplink_iface from $d_net to any -> $external_host
rdr pass log (all) on { $uplink_iface, $i_iface, $e_iface } proto tcp from any to $external_host port 6987 -> 192.168.2.2 port 22
#do not allow anything but the below rules
block all
# allow incoming traffic only to our external IP range/server
pass from any to $external_net keep state
# allow any outgoing traffic from server and employee machines (tbd)
pass from { $d_net, $i_net, $l_net, $external_net } to any keep state
What I know:
- somehow this does not work from the outside as it times out
- from the inside (i.e., any of the defined nets) a ssh on the port works * the tcpdump of the pflog shows that in both cases the port forwarding is triggered.
- a tpcdump on the corresponding interfaces confirmed that when the request is from one of the internal interfaces it is forwarded, when it is external it is not.
- when removing
block all
everything works. However, I do not want to drop this rule
Why can't I connect via ssh from the outside but from the inside?