current-users: Problems with pf(4)'s rdr rules

Subject: Problems with pf(4)'s rdr rules
To: None <current-users@netbsd.org>
From: Dave Huang <khym@azeotrope.org>
List: current-users
Date: 11/23/2005 23:53:15
I originally sent this to netbsd-help, but I just tried with a
-current kernel + the altq patches from
http://nedbsd.nl/~ppostma/pf/altq.html, and am still having the same
problem.

------------------------------------------------------------
I'm trying to use pf(4) to NAT my LAN to a single public IP address,
and redirect incoming UDP packets on a certain port to an internal
machine. However, it's not working reliably... packets from one IP
address are redirected properly, but not packets from another. I have
no idea what the difference would be...

I've trimmed down my pf.conf to:

ext_if="rtk0"
int_if="fxp0"

nat on $ext_if from !($ext_if) -> ($ext_if:0)

rdr pass on $ext_if proto tcp to port 25 -> 10.1.1.73 port 25
rdr pass on $ext_if proto tcp to port 80 -> 10.1.1.71 port 80

rdr pass on $ext_if proto udp from any to any port 2093:2096 -> 10.1.1.11 port 2093:*

The two "rdr" lines for TCP ports 25 and 80 work fine. The last "rdr"
line for UDP ports 2093:2096 doesn't work properly.

Here's a tcpdump on rtk0, the external interface. 208.180.124.100 is
my public IP, and 69.15.146.* is out on the Internet:

21:20:09.870360 208.180.124.100.58655 > 69.15.146.29.2093: udp 54 [tos 0xb8]
21:20:09.879115 69.15.146.29.2093 > 208.180.124.100.2093: udp 54
21:20:09.898379 208.180.124.100.58655 > 69.15.146.29.2093: udp 54 [tos 0xb8]
21:20:09.908701 69.15.146.29.2093 > 208.180.124.100.2093: udp 54
21:20:09.910362 208.180.124.100.50024 > 69.15.146.27.2093: udp 48 [tos 0xb8]
21:20:09.930604 208.180.124.100.58655 > 69.15.146.29.2093: udp 54 [tos 0xb8]
21:20:09.939273 69.15.146.29.2093 > 208.180.124.100.2093: udp 54
21:20:09.953308 69.15.146.27.1025 > 208.180.124.100.2093: udp 18
21:20:09.958560 208.180.124.100.58655 > 69.15.146.29.2093: udp 54 [tos 0xb8]
21:20:09.968805 69.15.146.29.2093 > 208.180.124.100.2093: udp 54
21:20:09.972292 69.15.146.27.1025 > 208.180.124.100.2093: udp 132
21:20:09.974368 208.180.124.100.50024 > 69.15.146.27.2093: udp 18 [tos 0xb8]
21:20:09.984340 69.15.146.27.1025 > 208.180.124.100.2093: udp 60

And here's a tcpdump on tlp0, the internal interface:

21:20:09.870186 10.1.1.11.2093 > 69.15.146.29.2093: udp 54 [tos 0xb8]
21:20:09.898188 10.1.1.11.2093 > 69.15.146.29.2093: udp 54 [tos 0xb8]
21:20:09.910189 10.1.1.11.2093 > 69.15.146.27.2093: udp 48 [tos 0xb8]
21:20:09.930222 10.1.1.11.2093 > 69.15.146.29.2093: udp 54 [tos 0xb8]
21:20:09.953636 69.15.146.27.1025 > 10.1.1.11.2093: udp 18
21:20:09.958211 10.1.1.11.2093 > 69.15.146.29.2093: udp 54 [tos 0xb8]
21:20:09.972471 69.15.146.27.1025 > 10.1.1.11.2093: udp 132
21:20:09.974184 10.1.1.11.2093 > 69.15.146.27.2093: udp 18 [tos 0xb8]
21:20:09.984191 10.1.1.11.2093 > 69.15.146.29.2093: udp 54 [tos 0xb8]
21:20:09.984579 69.15.146.27.1025 > 10.1.1.11.2093: udp 60

The packets 10.1.1.11 is sending out to 69.15.146.27 and 69.15.146.29
are getting NATted properly, and the packets 69.15.146.27 is sending
in are getting redirected. However, none of the packets from
69.15.146.29 are making it in.