I am trying to forward traffic like this:
Internal Network Computer (192.168.1.*) → Server (192.168.186:1234) → Internal Network Computer (192.168.1.198:80)
-
Server is plugged into the router via ethernet on interface en0
-
Internal Computer is connected to router via wifi
-
Server can access 192.168.1.198:80 with no problems
According to various other related questions, I have gotten the following rules
nat on en0 from any to en0 -> (en0)
rdr pass inet proto tcp from any to any port 1234 -> 192.168.1.198 port 80
However I get the following when telnet
ing:
$ telnet 192.168.1.186 1234
Trying 192.168.1.186...
telnet: connect to address 192.168.1.186: Operation timed out
telnet: Unable to connect to remote host
Using Wireshark on the 192.168.1.198 I have confirmed that the telenet connection is received however it doesn't seem to connect.
Some more info:
-
rdr
's from127.0.0.1
to127.0.0.1
work fine, for example:rdr pass inet proto tcp from any to any port 1234 -> 127.0.0.1 port 80
-
I have confirmed that port 80 is open on 192.168.1.198, and that it is accessible from the server
-
Firewall (in System Preferences) is disabled on both computers
-
I have enabled cross interface traffic forwarding with
sudo sysctl -w net.inet.ip.forwarding=1
-
I think it may be something with NAT (see the below posts) but I am not sure
The same issue is discussed on GitHub. @ctgreybeard, @dandriana, @snimavat, and @sergeyzwezdin have all reported the same issue. Does anyone have a solution?
Please Note: I would like to use pfctl and not SSH or another service.
Here are some other related posts:
How can I setup my mac (OS X Yosemite) as an internet gateway
Best Answer
This is how I got it to work.
My example uses three hosts on my network (10.10.0.0/16):
10.10.10.10 = Linux client
10.10.6.237 = Mac "real server" providing a service on port 3000
10.10.1.200 = Mac "server" performing pf redirection, listening on port 2004, interface vlan0
natrdr.pf
The specificity ensures your server isn't NATting traffic that it shouldn't.
For those doing this from scratch, after creating your
natrdr.pf
file above, run the following commands from the command line or a shell script, sudo or as root. Integrating thepf
rules with Apple'spf.conf
files is an exercise left to the reader.I then used
telnet 10.10.1.200 2004
and was immediately forwarded to the Node/express server running on port 3000 on 10.10.6.237.Example output of
pfctl -s states
to verify it's working:So, to make it match your setup:
The order of rules is important.
The redirect rule does what's expected: it forwards all traffic coming into the server to the real server.
The NAT rule changes the (now redirected) packets to have a source IP address of the redirecting server instead of the original client.
The combination of these rules ensures that a reverse path for the return packets to follow is automatically created.