It's probably some simple mistake in manipulating the ruleset. Make sure
you have both filter and translation rules loaded successfully, i.e. run
# pfctl -sn
No errors...
and check whether rdr rule is correctly loaded like you intend.
Check.
One somewhat obscure mistake is to run "pfctl -R -f /etc/pf.conf", misunderstanding the effect of -R, and not getting one's translation rules replaced.
I presume `pfctl -F all -f pf.conf` should suffice?
Okay, time to post the entire ruleset. This is my test ruleset, which fails. If I change the one "rdr on" rule to rdr PASS, it works.
lan = "le0" wlan = "le2" INT = "192.168.1.0/24" ext = "le1"
table <NORTE> { 0.0.0.0/8, 127.0.0.0/8, 192.0.2.0/24, 10.0.0.0/8, \
172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16, 255.255.255.255/32 \
240.0.0.0/5, 248.0.0.0/5}
table <BMCAST> const { 224.0.0.0/4, 192.168.1.0, 192.168.1.255 }
table <BMCAST_ALLOW> const { 224.0.0.251 }
bmcast_prot = "{ udp }"
bmcast_port = "{ 5353 }"ROUTER = "192.168.1.1"
ext_svc = "{ http }"fwd_lan_port = "{ 999, 1001 }"ext_scan_ports = "{ 21, 22, 23, 25, 53, 79, 110, 111, 137, 138, 139, 143, 512 }"
fwd_lan_dest_ip = 192.168.1.9 fwd_lan_dest_port = 8888
icmp_allow = "{ echoreq, echorep, timex, unreach }"br_wlan_tcp_svc_port = "{ 548 }"
br_wlan_udp_svc_port = "{ 3689 }"wlan_svc_prot = "{ udp }"wlan_svc_port = "{ domain }"lan_svc = "{ ssh, domain }"ext_prio_ports = "{ ssh, domain }"set optimization normal set block-policy return
scrub in all no-df fragment reassemble scrub out on $ext all no-df fragment reassemble random-id
altq on $ext priq bandwidth 500Kb queue \
{ q_ext_high, q_ext_med, q_ext_bulk }
queue q_ext_high priority 5
queue q_ext_med priority 4
queue q_ext_bulk priority 1 priq(default)nat on $ext from $INT to any -> $ext
rdr on $ext inet proto tcp \
to port $fwd_lan_port -> $fwd_lan_dest_ip port $fwd_lan_dest_port
block log-all all
pass quick on lo0
pass in log-all quick on $lan from $INT to any keep state
pass in log-all quick on $wlan inet proto $bmcast_prot from $INT \
to <BMCAST_ALLOW> port $bmcast_portpass in log-all quick on $wlan inet proto udp from $INT to $INT \
port $br_wlan_udp_svc_port keep state
pass in log-all quick on $wlan inet proto tcp from $INT to $INT \
port $br_wlan_tcp_svc_port flags S/SA keep statepass in log-all quick on $wlan inet proto $wlan_svc_prot from $INT to $ROUTER \
port $wlan_svc_port keep state
pass in log-all quick on $wlan inet proto icmp from $INT to $INT \
icmp-type $icmp_allow keep stateblock in log-all quick on $wlan from any to <BMCAST> block in log-all quick on $wlan from any to <NORTE>
block in log-all quick on $wlan from any to $ext
pass in log-all quick on $wlan inet proto icmp from $INT to any \
icmp-type $icmp_allow keep state
block in log-all quick on $wlan inet proto icmppass in log-all quick on $wlan from $INT to any keep state
block drop in log-all quick on $ext from <NORTE> to any block drop in log-all quick on $ext from <BMCAST> to any
pass in log-all quick on $ext inet proto icmp from any to $ext \
icmp-type $icmp_allow keep state#####
#
# IT DOESN'T MATTER WHICH OF THE FOLLOWING TWO RULES IS UNCOMMENTED,
# IT STILL FAILS
#
pass in log-all quick on $ext inet proto tcp from any \
to port $fwd_lan_port keep state
#
#pass in log-all quick on $ext inet proto tcp from any to \
# $fwd_lan_dest_ip port $fwd_lan_dest_port keep state
#
#####pass in log-all quick on $ext inet proto tcp from any to $ext \
port $ext_svc flags S/SA keep stateblock drop in log-all quick on $ext inet proto { tcp, udp } \
from any to any port $ext_scan_portsblock drop in log-all quick on $ext
pass out log-all quick on $lan from any to any keep state pass out log-all quick on $wlan from any to any keep state block out log-all quick on $ext from any to <NORTE>
pass out log-all quick on $ext inet proto tcp from any to any \
port $ext_prio_ports flags S/SA \
queue(q_ext_med, q_ext_high) keep state
pass out log-all quick on $ext inet proto tcp from any to any \
flags S/SA queue(q_ext_bulk, q_ext_high) keep state
pass out log-all quick on $ext inet proto { udp, icmp } \
from any to any queue q_ext_med keep state