Keeping Source IPs

viragomann

@kbarrett
Yes, I know. This is needed as well, but was not the question here.

JeGr

Yes the webserver default gateway points to pfsense IPAddress.

That's not what was asked. He asked if you set up a GW in your interface that points to your web server. E.g. your webserver is on the LAN segment so do you have a gateway configured in your pfsense LAN interface settings NOT the webserver network configuration.

kbarrett

In the pfSense Interface, I do not believe we made any changes.
We accepted defaults for the values except time zone I believe.

viragomann

@kbarrett
During the installation process pfSense asks you for the interface settings like DHCP or IP address and gateway. Possibly you entered a gateway erroneously.
pfSense will consequently do masqerading on this interface.
So simply go to the LAN interface settings and verify that the gateway value is showing "none".

kbarrett

Sorry for the extreme delays...other items got in the way.
No, we accepted the defaults for the installation/configuration opening screens. We were able to get NAT running and the Firewall rules working.
I have to imagine it is setup correctly with the proper options. Just wondering if there is an option that passes the source IP all the way, instead of replacing it with the NAT (Firewall) address.

SteveITS

@kbarrett said in Keeping Source IPs:

wondering if there is an option that passes the source IP all the way, instead of replacing it with the NAT (Firewall) address

What you're asking for is the default behavior of all routers including pfSense. The web server on your LAN should not see the pfSense LAN IP address. If your config isn't complicated you might consider resetting it to factory defaults (diag menu) and starting over. Having been in IT for 30 years I'm not sure how I would even try to accomplish this except some sort of reverse proxy. :)

Rereading your post, where is the web server? On your LAN or outside the network? If outside, NAT will always use the WAN address for outbound connections, that's the point of NAT (public IPv4 address sharing). And one of the points of IPv6 (a quintillion addresses to everyone so everything has its own IP).

kbarrett

@steveits said in Keeping Source IPs:
All my replies are after the "-->"

What you're asking for is the default behavior of all routers including pfSense.
--> Alright. Guess I am asking if it can allow the packets without changing the IP (Nat). If it is not possible ok.

The web server on your LAN should not see the pfSense LAN IP address.
--> It is seeing it.

If your config isn't complicated you might consider resetting it to factory defaults (diag menu) and starting over.
--> Yes did that.

Having been in IT for 30 years I'm not sure how I would even try to accomplish this except some sort of reverse proxy. :)
--> Understood. That isn't what we are trying to do. We just want to use the firewall functions it seems not the NAT functions.

Rereading your post, where is the web server? On your LAN or outside the network?
--> LAN Side

If outside, NAT will always use the WAN address for outbound connections, that's the point of NAT (public IPv4 address sharing). And one of the points of IPv6 (a quintillion addresses to everyone so everything has its own IP).
--> IIS Server on the inside of the network

johnpoz

@kbarrett said in Keeping Source IPs:

is always 8.8.8.8 in my logs after being NAT'd and routed to my server ?

Where is the client talking to your webserver? If you were doing nat reflection and your client was on your network trying to access webserver via your public IP?

For this to happen from an external client out on the internet, you would have to be doing source nat via outbound nat rules. Post up your outbound nat rules..

example here are mine..

kbarrett

@johnpoz said in Keeping Source IPs:

Where is the client talking to your webserver? If you were doing nat reflection and your client was on your network trying to access webserver via your public IP?
For this to happen from an external client out on the internet, you would have to be doing source nat via outbound nat rules. Post up your outbound nat rules..
example here are mine..

My Comments are after the >>

Where is the client talking to your webserver?

External to the segment. Incoming from the internet.
If you were doing nat reflection and your client was on your network trying to access webserver via your public IP?
No internal traffic should use internal network.

For this to happen from an external client out on the internet, you would have to be doing source nat via outbound nat rules.

Yes, I am NATing the incoming traffic.
Post up your outbound nat rules..
Company unfortunately wont allow it, but from your information it seems as long as I NAT I will not see the Internet IP in the logs on the webserver. i will only see the NAT device IP address. Is that a correct understanding ?

johnpoz

@kbarrett said in Keeping Source IPs:

Company unfortunately wont allow it

Will not allow you to post up what? What your internal rfc1918 address are? WTF?? Someones tinfoil hat is so freaking tight its cutting off the blood flow..

Like giving away you live on main street. Without even knowing what country your in, let alone state, etc. Pretty worried about telling someone you live on the planet earth ;) There is zero issue with post up some arbitrary IP space, and interface be it wan or lan. Hide your rfc1918 space if you want. I just need to see if your using lan as an outbound nat..

Are you using public IP space internally?

Not sure how you expect help - when you come back 23 days later and don't even post up an answer to the question.

Yes, I am NATing the incoming traffic.

If you are source natting external traffic to your webserver - than yeah it is always going to see the IP you natted it too.. Why would you be doing that? Other than circumvention of some firewall running on where your forwarding too..

If you want to see the actual public IP of a client out on the internet talking to something you port forward traffic too, then don't source nat.. Do you understand the difference between a port forward and what I am saying with a source nat?

Do you have something in your outbound nat using the LAN interface? vs the WAN - if so that would be a source nat for traffic coming from the internet going to something on your Lan net..

Here - do you have something like this in your outbound nat rules?

if I forwarded traffic to something on my 192.168.10/24 network - to that device on 192.168.10.X it would look like I am coming from the IP address of my Lan Address.. That is a source nat.

edit: BTW to any would be hackers - please don't hack me now that I have given away that my internal networks use rfc1918.. Like every other internal network on the planet ;)