Help with pf address translation

Wed, 20 Jun 2007 01:15:34 -0700 

We have ipsec running on an internal firewall, with packets being
routed to the internal firewall via an external firewall. We wish to
move off of the internal 192.168.11.0/24 network and onto a net-10
network. What pf rules do we need to automatically translate between a
net-10 block and the internal 192.168.11.0/24 block?

         ----------
        | internet |
         ----------
             |
             | [ext_if] <external ip>
     -------------------
    | external firewall |
     -------------------
             | 192.168.23.2 (default route for internal firewall)
             |
             | [vpn_if] 192.168.23.1
     -------------------
    | internal firewall |
     -------------------
             | [int_if] 192.168.11.254 (default route for 192.168.1.0/24)


The following rule redirects VPN traffic from the external firewall to
the internal firewall:
  rdr pass on $ext_if proto udp from any to $ext_if:0 \
    port { 500, 4500 } -> 192.168.23.1

Our goal is to map 10.20.30.13 to 192.168.11.13, 10.20.30.14 to
192.168.11.14, etc. for VPN clients.

We initially added a rule on the "internal firewall" config with:
  table <tww_nets> const { 192.168.11.0/24, 10.20.30.0/24 }
  nat pass log on $int_if from !<tww_nets> to <tww_nets> -> ($int_if:0)
  ++ rdr pass log on enc0 proto tcp from any to 10.20.30.13 \
  ++   -> 192.168.11.13

This works in redirecting inbound VPN traffic to 192.168.11.13:
  Jun 20 07:15:42.947878 rule 3/(match) rdr in on enc0: 192.168.10.100.42888 > 
192.168.11.13.80: [|tcp] (DF) [tos 0x10]
  Jun 20 07:15:42.947902 rule 1/(match) nat out on fxp4: 192.168.11.254.54444 > 
192.168.11.13.80: [|tcp] (DF) [tos 0x10]

However, once the packet arrives at 192.168.11.13, it must make it's
way back to the VPN client at 192.168.10.100. That's where we're
having the trouble. The inbound packet comes in through
192.168.11.254 and goes out through 192.168.23.1 (tcp dump traffic on
vpn_if):
  07:31:02.534408 10.20.30.13.80 > 192.168.10.100.54486: R [tcp sum ok] 0:0(0) 
ack 771645959 win 0 (ttl 63, id 13259, len 40)
  Jun 20 07:53:03.872494 rule 0/(match) block in on fxp0: 10.20.30.13.80 > 
192.168.10.100.54486: [|tcp]

Thinking about this some more, the rdr on enc0 doesn't make much
sense. I'm thinking we need some kind of binat rule but I'm unable to
come up with one that works. Any ideas?

-- 
albert chin ([EMAIL PROTECTED])

Reply via email to