Forwarding ports with an OpenBSD router
Tags: [openbsd] [relayd]
Published: 09 Nov 2014 17:29

Rather than modifying pf.conf directly, relayd is the better (and preferred) way to simply forward ports:

relayd is a daemon to relay and dynamically redirect incoming connections to a target host. Its main purposes are to run as a load-balancer, application layer gateway, or transparent proxy. The daemon is able to monitor groups of hosts for availability, which is determined by checking for a specific service common to a host group. When availability is confirmed, layer 3 and/or layer 7 forwarding services are set up by relayd.

The goal here is hostname based port redirection, and the trouble with modifying pf.conf directly is that during the initial boot of the router the pf.conf ruleset will fail to load if it cannot resolve hostnames in the ruleset.

Even without the advanced features, relayd offers a neat service: if the hostname target is responding to pings, then add a rule to pf based on the relayd.conf entry. If the hostname target is not responding to pings, remove the corresponding pf rules.

Add anchor "relayd/*" to pf.conf, then insert a simple forwarding entry to relayd.conf. For example, to forward PSN and Splinter Cell: Blacklist packets to a Playstation 3 (whose hostname is set to “ps3”):

table <ps3rdr> { ps3 }

redirect "psn" {
    listen on pppoe0 tcp port 3658
    listen on pppoe0 udp port 3658
    forward to <ps3rdr> check icmp
}

redirect "psn2" {
    listen on pppoe0 tcp port 3478:3479
    listen on pppoe0 udp port 3478:3479
    forward to <ps3rdr> check icmp
}

redirect "blacklist" {
    listen on pppoe0 tcp port 13000
    listen on pppoe0 udp port 13000
    forward to <ps3rdr> check icmp
}

then restart relayd with

/etc/rc.d/relayd stop ; /etc/rc.d/relayd start

Some notes:

egress can be used instead of pppoe0 as an interface to listen on
make sure to forward both TCP and UDP if unsure of which protocol to choose, or, in the case of Blacklist, you’re having problems joining online games :)

Another method for forwarding ports is to allow UPnP, where devices request port forwarding rules dynamically. miniupnpd is another OpenBSD daemon (in ports, not base) which will listen for these UPnP requests and insert pf redirect rules in the same way as relayd.

Add anchor miniupnpd to pf.conf, and simply start the miniupnpd daemon after editing miniupnpd.conf.

For my scenario, I originally had miniupnpd setup for the PS3 but found static relayd rules for PSN and Blacklist packets to be adequate.