pf route-to vs static route

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

pf route-to vs static route

Hi everybody. I used to host my own email and I have ambitions to give
it another try. I prefer to keep my email on my home server if I can,
but I use Comcast and they block port 25. So, I thought I'd try setting
up an IKEDv2 based VPN between my home network (including my email
server at home) and a VPS which doesn't have any ports blocked, so as to
have an unblocked path to the internet for my email traffic from my home

I've got the VPN setup and working fine. I'm able to ping from my home
servers through the VPN and out the cloud server. I'm able to telnet
port 25 from my home network too:

$ ping -I $vpn_if_ip
$ telnet -b $vpn_if_ip 25

Those work great. Adding a route works great too, i.e.:

# route add $vpn_if
# telnet 25

That works, and I don't need to specify the -b option with telnet once I
have the static route setup.

What I'm having trouble with is simulating a static route with PF, so
instead of setting up a static route for every email server in the
world, I was hoping I could do something like:

pass out inet proto tcp to port smtp nat-to $vpn_if route-to \

So that *only* traffic bound for port 25 gets sent over the VPN
connection, but it does so for all hosts. Anyhow, I haven't been able to
get it to work, and I realize I don't understand enough about how pf
route-to and static routes work and are different from each other.

I've read and reread the nat-to and route-to sections in man pf.conf.  
I've used tcpdump on the various interfaces on both sides of the vpn
connection to try and understand how the packets are moving, where they
are stopping and why, in both the static routing scenario (which works)
and my failed attempts at configuring pf to do something similar (which
doesn't work). I searched for route-to in the Book of PF 3rd Edition,
but didn't find it there.

Before I give up on this approach and try using an smtpd relay server or
relayd or just host my mail on the VPS like any sensible PF newb should
perhaps do, I thought I'd try subjecting myself to public ridicule and
the possibility that someone else might have attempted something like
this before and maybe willing to share their insights and help me
understand PF vs static routes a bit better than I do today. Thanks to
those who made it to the bottom of this long email--I'll be grateful for
any pointers.