0

On my freebsd system I want to use port forwarding to distribute incoming traffic, based on the last digit of the source IP.

The following works on linux with iptables:

iptables -t nat -A PREROUTING -p tcp -s 0.0.0.0/0.0.0.7 -d w.x.y.z --dport 443 -j DNAT --to-destination :4431
iptables -t nat -A PREROUTING -p tcp -s 0.0.0.1/0.0.0.7 -d w.x.y.z --dport 443 -j DNAT --to-destination :4432
iptables -t nat -A PREROUTING -p tcp -s 0.0.0.2/0.0.0.7 -d w.x.y.z --dport 443 -j DNAT --to-destination :4433
iptables -t nat -A PREROUTING -p tcp -s 0.0.0.3/0.0.0.7 -d w.x.y.z --dport 443 -j DNAT --to-destination :4434
iptables -t nat -A PREROUTING -p tcp -s 0.0.0.4/0.0.0.7 -d w.x.y.z --dport 443 -j DNAT --to-destination :4435
iptables -t nat -A PREROUTING -p tcp -s 0.0.0.5/0.0.0.7 -d w.x.y.z --dport 443 -j DNAT --to-destination :4436
iptables -t nat -A PREROUTING -p tcp -s 0.0.0.6/0.0.0.7 -d w.x.y.z --dport 443 -j DNAT --to-destination :4437
iptables -t nat -A PREROUTING -p tcp -s 0.0.0.7/0.0.0.7 -d w.x.y.z --dport 443 -j DNAT --to-destination :4438

What it does is that the subnet mask is applied to the last digit of the ip address calculating the modulo value.

Now, how do I do this on freebsd with packet filter? I tried the following:

rdr log on vmx1 inet proto tcp from 0.0.0.1/7 to w.x.y.z port = https -> w.x.y.z port 4432 round-robin
rdr log on vmx1 inet proto tcp from 0.0.0.2/7 to w.x.y.z port = https -> w.x.y.z port 4433 round-robin

unfortunately the 0.0.0.1/7 and 0.0.0.2/7 values get translated to 0.0.0.0/7. Therefore my conditional port forwarding does not work.

Any advice on how to do this?

memyself
  • 335
  • 6
  • 13
  • (I don't know pf): above you're using a dotted decimal netmask, below you're using a CIDR prefix length. That's not the same at all. For IPv4 there are only 33 possible CIDR prefix length values (since that's 0..32), while there are 2^32 possible netmasks (of which 99% of the time only the 33 corresponding to CIDR prefix length notation are used). Above, 0.0.0.7 cannot be converted into a CIDR prefix length, but its inverse could (255.255.255.248<=>/29). If pf doesn't allow anything else than CIDR prefix length, you'll have to search what other method exists to achieve this form of hashing. – A.B Mar 29 '20 at 20:54

1 Answers1

0

PF can't do that. Since it's FreeBSD you could get away with IPFilter instead. Yes, it's perfectly fine to use a set of firewalls at the same time, although one should clearly understand their possible interference. Just in case — typically you can change the order of traffic processing by those firewalls changing their modules load order.

poige
  • 9,448
  • 2
  • 25
  • 52