Port forwarding not done

[lpvm]

Description

I want to enable port forwarding of ports 17106 and 22222 to a computer on LAN. I've already asked for help, but got no answers to the problem that could solve it.

The NetBSD box runs:

# uname -a
NetBSD netpi 9.0 NetBSD 9.0 (GENERIC) #0: Fri Feb 14 00:06:28 UTC 2020  mkrepro@mkrepro.NetBSD.org:/usr/src/sys/arch/i386/compile/GENERIC i386

net.inet.ip.forwarding=1

From the NetBSD box I can access the LAN computer:

# curl 192.168.1.30:17106
<!DOCTYPE html>
<html lang="en" >

<head>

From outside, the Internet, I cannot access it.

In the NetBSD computer, when listening on the external interface, after some seconds:

# tcpdump -en -i ure0 | grep 17106
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ure0, link-type EN10MB (Ethernet), capture size 262144 bytes
22:08:20.818053 00:fa:fa:fa:fa:fa > 00:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 74: 4.4.4.4.55269 > 3.3.3.3.17106: Flags [S], seq 2134094756, win 32768, options [mss 1460,nop,wscale 3,sackOK,TS val 1 ecr 0], length 0
22:08:26.820016 00:fa:fa:fa:fa:fa > 00:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 74: 4.4.4.4.55269 > 3.3.3.3.17106: Flags [S], seq 2134094756, win 32768, options [mss 1460,nop,wscale 3,sackOK,TS val 13 ecr 0], length 0
22:08:38.840625 00:fa:fa:fa:fa:fa > 00:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 74: 4.4.4.4.55269 > 3.3.3.3.17106: Flags [S], seq 2134094756, win 32768, options [mss 1460,nop,wscale 3,sackOK,TS val 37 ecr 0], length 0

The npf.conf file:

# npfctl show
# filtering:    active
# config:       loaded

table <int-block> type lpm

procedure "log"

map ure0 dynamic any -> 3.3.3.3 pass family inet4 from 192.168.1.0/24 # id="1"
map ure0 dynamic 192.168.1.30 port 17106 <- any pass family inet4 proto { tcp, udp } to 3.3.3.3 port 17106 # id="2"
map ure0 dynamic 192.168.1.30 port 22222 <- any pass family inet4 proto { tcp, udp } to 3.3.3.3 port 22222 # id="3"

group "external" on ure0 { # id="1"
        pass stateful out final flags S/FSRA # id="2"
        pass stateful in final family inet4 proto tcp flags S/FSRA to ifaddrs(ure0) port 22 apply "log" # id="3"
        pass stateful in final proto tcp flags S/FSRA to ifaddrs(ure0) port { 80, 443, 25, 53, 6000, 9022 } # id="4"
        pass stateful in final proto udp to ifaddrs(ure0) port { 53, 123, 6000 } # id="5"
        pass stateful out final flags S/FSRA # id="6"
}

group "internal" on re0 { # id="7"
        pass in final family inet4 from 192.168.1.0/24 # id="8"
        pass out final all # id="9"
}

group default { # id="a"
        pass final on lo0 all # id="b"
}

3.3.3.3 and 4.4.4.4 are not he real IPs.

Don't know what else to do or check.

[spzeidler]

Hi,

if you write it: map ure0 dynamic proto tcp 192.168.1.30 port 17106 <- 3.3.3.3 port 17106 does it work?

regards, spz -- @.*** (S.P.Zeidler)

[lpvm]

Hi @spzeidler , thank you for your interest. Tried the line both with the proto tcp and without it, but doesn't work either way.

[rmind]

@lpvm: You have the port forwarding rule, but where is the rule to pass the traffic to port 17106?

[lpvm]

I had those before, but didn't work either. Unless I'm understanding it wrong, they are not necessary. In the npf documentation, it's stated that

map $ext_if dynamic $local_host_2 port 80 <- $ext_if port 8080 In the examples above, NPF determines the filter criteria from the segments on the left and right hand side implicitly.

[rmind]

@lpvm: They are necessary. The filter criteria mentioned in the documentation is for the translation rule. Such rule doesn't implicitly pass the traffic; try adding pass in stateful ... port 17106 on $ext_if and check your traffic with tcpdump.

[lpvm]

Hi @rmind , sorry for my ignorance, but as I don't have enough knowledge of the subject, I miss some points and misunderstand others.

I added this line: pass stateful in final to inet4(ure0) port 17106

As my ure0 acquires a dynamic IP, the line should be changed to: pass stateful in final to ifaddrs(ure0) port 17106 right?

One thing I took notice is that when a port in a rule is specified as $17166, for example, npf ignores the $.

Other thing that for less knowledgeable people is important are examples. Unfortunately, few people use NetBSD...

This is solved, thank you very much @rmind and @spzeidler .

[rmind]

@lpvm: Well, pull requests with better examples or improved documentation are always welcome!