Skip to content

Instantly share code, notes, and snippets.

@not-mms
Last active September 15, 2017 01:07
Show Gist options
  • Save not-mms/b4e42346fca6ec939e818a14ee41f526 to your computer and use it in GitHub Desktop.
Save not-mms/b4e42346fca6ec939e818a14ee41f526 to your computer and use it in GitHub Desktop.
Configure relayd redirection to be usable on the LAN as well as well as on the internet.

There is a server running in the LAN and port redirection is used to make it accessible from the internet.

To make this redirection work for clients on the LAN too you have to add an additional NAT rule as suggested in PF FAQ.

If redirection rules are generated by relayd do the following to add an additional NAT rule:

  • Modify the relevant redirection section in relayd.conf to match and tag packets (see example below).
  • Add the necessary rules for tagged packets (see example below) following the relayd/* anchor in pf.conf.
# NOTE this is not a full configuration, only related parts are present.
# let's assume that there is a tor node running on the LAN
# that you need to make accessible from the internet and from the LAN on external address
ext_ip="3.1.2.8"
or_port="9001"
dir_port="9030"
table <tor_node> { 192.168.1.50 }
redirect "redirect_or_port" {
# note that the interface is not specified here,
# so generated redirection rules match incoming packets on all interfaces
listen on $ext_ip tcp port $or_port
forward to <tor_node> check tcp
# note that it is possible to customize generated redirection rules via pf.conf
# these rules have to be generated as match rules
# so besides adding NAT options for the LAN clients
# it is also necessary to add pass rules for redirections to work
match pftag REDIRECTED
}
redirect "redirect_dir_port" {
listen on $ext_ip tcp port $dir_port
forward to <tor_node> check tcp
match pftag REDIRECTED
}
# notice that a redirect section is needed for each port of interest
# but the same tag name is used that allows common rules for all redirects in pf.conf
# NOTE this is not a full configuration, only related parts are present.
int_if="em0"
#
# ... skipped macros, options and whatever comes prior to relayd anchor
#
# have a look at all the rules
#
# pfctl -a "*" -sr
#
annchor "relayd/*"
# all redirected packets get tagged - incoming on $ext_if and on $int_if
# but the additional NAT-rule must be applied only for the ones on $int_if
match out on $int_if tagged REDIRECTED received-on $int_if nat-to $int_if
# make sure that the generated match rules are quickly passed
# as if there were no 'match pflog' directive in relayd.conf
pass out quick tagged REDIRECTED
pass in quick tagged REDIRECTED
#
# ... skipped filters
#
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment