rdr woes (3.9) transparent bridge pf

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

rdr woes (3.9) transparent bridge pf

patrick keshishian

I have a transparent bridged pf serving my home network.
It has been running fairly nicely for some time now.

I have a web server behind it which I'm trying to move
to another server, same network, different IP.

I thought it might be a simple thing to just use a rdr
rule to point traffic intended for web server one (www1)
to web server two (www2) until the DNS changes take place.

But it doesn't seem to be working as expected.  Just to
test this out before committing to it, I added the following
to my pf.conf

    rdr proto tcp to $www1 port 8080 -> $www2 port www

I fire up a browser and type in the URL:


But it just sits there trying to load.  Client shows SYN_SENT
state.  www2 shows no states.  `pfctl -ss -v' shows:

all tcp www2:80 <- www1:8080 <- client:49639       CLOSED:SYN_SENT
all tcp client:49639 -> www2:80       SYN_SENT:CLOSED

Is there something I'm missing?

Anything else I should be keeping an eye on?

Note that client can connect to either web server directly,
that is there are no filter rules blocking client from
connecting to www[12]:80.

The only thing I can think of that may be putting a kink in
this picture is that the pf server is bridging the
interfaces transparently, and I'm using tags to base my
filtering policies on.  Reading pf.conf(5) I don't see any
particular thing that could cause problems with this
set up.

Any help would be appreciated.