Internal traffic redirect

From lippmann wiki
Jump to: navigation, search

Copied, for internal use and in case that page ever disappears, from https://flak.tedunangst.com/post/turn-your-network-inside-out-with-one-pfconf-trick

turn your network inside out with one pf.conf trick I think this falls somewhere a little short of common knowledge, but obvious once you know it. It lets machines roam in and out of the network without too much config fiddling. Instead, we configure machines to always use “cloud” services but intercept the packets to provide local services.

Here’s the pf.conf rules I have on my router.

 pass in on cnmac1 proto { udp , tcp } from any to any port domain rdr-to 10.10.10.10 port domain
 pass in on cnmac1 proto { udp , tcp } from any to any port ntp rdr-to 10.10.10.10 port ntp

This steals any DNS or NTP traffic bound for the internet and redirects it back to the local machine, servicing it locally.

Normally one gets a DNS server via DHCP, but I usually prefer to use 8.8.8.8. So I override that option in dhclient.conf. Works great outside the house. But when I’m home, then I really do want to use the local server because that’s the one that knows about other hostnames on the network. This lets me keep a hardcoded config on my laptop and fix it at the router.

Similarly with NTP, although the situation is a little different since we don’t usually get that from the DHCP server. Instead it’s configured once. I could use the ntp.org server pool, but it’s silly to have a half dozen machines each probing several upstream servers. For a while I used a config that pointed at the router directly, but then when I take a laptop on the road, it can’t sync time at all. Solution: point everything at time.google.com in ntpd.conf, and again have the router fix it up. (Bonus benefit: Windows and Apple machines will also now use the router’s time service with no config fiddling either.)

In short, permanently configure laptops for mobile use, and then configure the router to provide optimized services. This is typically easier than trying to configure the laptop to detect which network it’s using.