On 2008-02-23, Stefan Kell <[EMAIL PROTECTED]> wrote: > Hello, > > On Sat, 23 Feb 2008, elaconta.com Webmaster wrote: > >> Greetings >> >> ...snip... >> rdr on $ext_if proto tcp from any to 192.168.1.121 port 80 -> 127.0.0.1 port >> 5000 >> >> ...snip >> >> I'm running OpenBSD 3.9 (i386) on both machines. >> > > why not rdr directly to your internal webserver instead of 127.0.0.1? OpenBSD > 3.9 is quite old but rdr should work quite well. I use this since OpenBSD 3.4
Because the return packets will go straight to the cable modem and won't get "un-rdr'ed" (i.e. have the original addresses put back on them). You could do this if a) .126 is configured to use .121 as gateway rather than using the cable modem as gateway, and b) there aren't any ICMP redirects affecting things (either they aren't generated, or any which are generated are ignored). It's a bit of a messy setup though, be sure to document it... Other possibilities are to put the webserver on a different subnet and either double-NAT, or add a static route to this on the cable modem. Or one could use a proxy which can write the original address into an HTTP header, and have the webserver log that rather than the packet's source address.