Support for traffic redirection



  • would it be possible to implement by rules or any other method anyway of redirecting specific tcp/udp flow?
    example:
    redirect to a urlfilter server when destination port is 80,443 etc etc.

    Thanks,



  • Create a portforward at Firewall>NAT, portforward tab. Choose Interface "LAN" (given that you want to redirect connections from LAN), external adress "any", port 80, NAT IP <filterserver>, port 80.</filterserver>



  • But this way will only work if the filterserver is located on the wan side of the pfsense.
    right?



  • No, you can reflect the ports to a destination at LAN. This destination will be excluded from the reflection behind the scenes to not cause a reflection loop.



  • I dont think pfsense is working that way hoba…



  • @techatdd:

    I dont think pfsense is working that way hoba…

    <scratch head="">hrm…. not sure it is either I setup a test to verify that from another problem someone was having but I didn't get to complete it. the generated rules should say if it should work that way. I'll take a look at it later.</scratch>



  • Taked a look?  ;)


  • LAYER 8 Moderator

    As I had similar problems at work with pf, I'd say that can't work.

    If you redirect traffic on the internal interface to some internal server, you'll get problems with the 3-way-handshake of tcp, because the initial packet will go to pfsense and there be redirected to the internal server. But as this one is seated in the LAN, he won't send the packet response to pfsense (and pfsense to the initial sender) but directly to the internal sender who will ignore the packet, because he didn't contact the server. So PC A will get a response from SERVER A but waits for response from pfSense. You see the problem?

    Only way to get around that with pf on our corporate firewall was to make a redirect to 127.0.0.1 port XYZ and setup inetd to listen on XYZ and then hand it over to nc to connect to the internal server. So you'll have to create a "mini-proxy" on pfSense to get this to work.

    If anyone knows another way, share it with us :)

    edit: That's the link from the original pf-FAQ:

    http://www.openbsd.org/faq/pf/rdr.html#reflect



  • That is exactly how our version works… Straight out of the OpenBSD PF reflection page.



  • @sullrich:

    That is exactly how our version works… Straight out of the OpenBSD PF reflection page.

    Do you mean pfsense uses out of the box the nc reflection solution from this page for internal NAT rules. If so, i cant say it does not work.
    But I also tried the above mentioned way last week manualy (with inetd and with nc on shell, working with a telnet session) but it dont work for the http redirection.



  • Works fine for me, and many others that I have asked in IRC.


  • LAYER 8 Moderator

    As pfSense works like (intended) mentioned in the pf faq, is it planned or already possible to setup this kind of redirection (with nc or any other little helper app)?



  • @Grey:

    As pfSense works like (intended) mentioned in the pf faq, is it planned or already possible to setup this kind of redirection (with nc or any other little helper app)?

    As I stated before, we already do this.


  • LAYER 8 Moderator

    I beg you pardon if misunderstood :) but I (in being naive or struck blind) haven't found out, where and how you do this ;) Do this automatically happen when creating a NAT rule on the internal IF? ???
    Sorry, had no need for it on Zoe (my net4501) before, only stumbled upon it - as mentioned - at work while doing some redirecting on our OpenBSD firewall machine.

    Thanks in advance
    -Grey




  • LAYER 8 Moderator

    Argh ::) Mea culpa ::) Looked at the wrong tab and concentrated on "Outbound" rather than looking at "Port Forward" and thinking about it "the other way" :)

    Thanks again for pointing out and best wishes - you're all doing a hell of a good job here :D

    -Grey


Log in to reply