pf port forwarding

Question

I've got the basics of my pf firewall/NAT router setup working; traffic going out fine, DNS requests on port 53 mapped into an internal subnet and back out again successfully (no change in port number). But I'm stuck at a port forwarding from the internal gateway to a machine where I need to translate ports. Here's what I've got which doesn't seem to be working:

rdr on $ext_if inet proto tcp from any to 192.168.1.101 port 24 -> 192.168.0.105 port 22
pass in on $ext_if inet proto tcp from any to 192.168.0.105 port 22

The network is public IP => this gateway at 192.168.1.101 => machine needing ssh access at 192.168.0.105

port 22 on the public address is being used in a different subnetwork (a 10. network parallel to the 192.168.0.1/32 network).

for reference the following IS working:

rdr on $ext_if proto udp from any to any port 53 -> 192.168.0.105
pass in on $ext_if inet proto udp from any to 192.168.0.105 port 53

EDIT: So, adding "synproxy state" got it to the point where it was making a connection and trying to log in, then timing out (whereas it was failing pretty quick before). It could be just a matter of timeouts from here. I'll try again some time; for now I've just opened SSH on the router machine itself and can log in step by step (to router, then to machine).

Answer 1

You have to use your gateway's external IP. Try this:

rdr on $ext_if inet proto tcp from any to ($ext_if:0) port 24 -> 192.168.0.105 port 22

The parentheses will insert the IP address currently bound to that interface and keep it updated if it changes (because of DHCP, for example). The :0 indicates that it should only use the main IP bound to the interface, not aliased ones.