FreeBSD massive port forwarding
Portfwd was the choice of software when I ever needed to forward a port from the server to another server – multiple hops away (not NAT port mapping).
It uses configuration like this (193.2.1.66 is the local ip, 193.2.1.80 is destination server IP):
bind-address 193.2.1.66
tcp { 55443 { => 193.2.1.80:443 } }
tcp { 55022 { => 193.2.1.80:22 } }
But it fails doing its job right when you use this on a really busy port/service (500 or more simultaneous established TCP connections).
pf does the forwarding well even over 1000 TCP connections. Example:
rdr on em0 proto tcp from any to 193.2.1.66 port 55443 -> 193.2.1.80 port 443
rdr on em0 proto tcp from any to 193.2.1.66 port 55022 -> 193.2.1.80 port 22
nat on em0 from any to 193.2.1.80 -> 193.2.1.66
- the em0 is the name of the outside interface. Without the nat rule, destination server would see a packet with source ip of the client so it would send a packet back directly to the client which causes asymmetric routing and very possible problems. The nat rule changes the source IP to the port forwarders one.
Happy forwarding,
S.
Recent Comments