pf route-to vs static route

Tue, 03 Oct 2017 12:27:38 -0700

Hi everybody. I used to host my own email and I have ambitions to give it another try. I prefer to keep my email on my home server if I can, but I use Comcast and they block port 25. So, I thought I'd try setting up an IKEDv2 based VPN between my home network (including my email server at home) and a VPS which doesn't have any ports blocked, so as to have an unblocked path to the internet for my email traffic from my home network.
I've got the VPN setup and working fine. I'm able to ping from my home servers through the VPN and out the cloud server. I'm able to telnet port 25 from my home network too: 

$ ping -I $vpn_if_ip 8.8.8.8
$ telnet -b $vpn_if_ip smtp.gmail.com 25

Those work great. Adding a route works great too, i.e.:

# route add smtp.gmail.com $vpn_if
# telnet smtp.gmail.com 25


That works, and I don't need to specify the -b option with telnet once I 
have the static route setup.



What I'm having trouble with is simulating a static route with PF, so 
instead of setting up a static route for every email server in the 
world, I was hoping I could do something like:


pass out inet proto tcp to port smtp nat-to $vpn_if route-to \
   $vpn_gateway_ip@$vpn_if


So that *only* traffic bound for port 25 gets sent over the VPN 
connection, but it does so for all hosts. Anyhow, I haven't been able to 
get it to work, and I realize I don't understand enough about how pf 
route-to and static routes work and are different from each other.



I've read and reread the nat-to and route-to sections in man pf.conf.  
I've used tcpdump on the various interfaces on both sides of the vpn 
connection to try and understand how the packets are moving, where they 
are stopping and why, in both the static routing scenario (which works) 
and my failed attempts at configuring pf to do something similar (which 
doesn't work). I searched for route-to in the Book of PF 3rd Edition, 
but didn't find it there.



Before I give up on this approach and try using an smtpd relay server or 
relayd or just host my mail on the VPS like any sensible PF newb should 
perhaps do, I thought I'd try subjecting myself to public ridicule and 
the possibility that someone else might have attempted something like 
this before and maybe willing to share their insights and help me 
understand PF vs static routes a bit better than I do today. Thanks to 
those who made it to the bottom of this long email--I'll be grateful for 
any pointers.
















    











					Reply via email to