Intervlan ping problem with nat
-
@johnpoz said in Intervlan ping problem with nat:
Well if its resolving to your local IP then nat reflection would not work no, be it you have enabled or not.
I did not set up a local resolution for toto.fr, the reflection does not work when it is activated.
@johnpoz said in Intervlan ping problem with nat:
So you want when when vm1 goes to toto.fr its hits your wan IP .69, and look like it coming from .70?
It's the opposite but yes
@johnpoz said in Intervlan ping problem with nat:
For what possible reason - that makes ZERO sense to do that.. What does that get you? Why would you want to do such a thing.. When you could just directly access 1.2 or 2.2 from the other box also on your lan side networks.. Just at a loss to why anyone would want to do such a thing.
I need to do this, because intervlan communication doesn't have to take place for security reasons. And it's easier to do it that way I think. But if this is not possible, I would modify my firewall rules.
-
@yguerchet said in Intervlan ping problem with nat:
because intervlan communication doesn't have to take place for security reasons
But you are allowing it, just via some round about way.. I really don't think you could do what your asking. Especially when .69 and .70 reside on the same actual interface.. If they were different interfaces then you could maybe make it happen.. But if .69 and .70 are on the same physical interface - no I don't think you can do it.
Just open a pin hole firewall rule so that 1.2 can talk to 2.2 on or vise versa on the port(s) you want to access.
This is done all the time when something in a dmz segment for example needs to say pull data from a db server or something that does not reside in the dmz segment.
Look at it this way as well, if you have some device in your dmz.. And it is open to the public.. Why would you not allow your lan to talk to it directly through the firewall local network interfaces? Doing some odd ball routing out and then back in sure doesn't change any security.. But it sure makes it a cluster.. And such a cluster sure makes for more likely for some security issue to be overlooked. Nothing saying that you have to open all traffic to and from these segments. Just the traffic that is required for you to do what your trying to do.
-
@johnpoz Hello, thank's for you response, i didn't know i can't do that if the wan adress it's on the same interface. For information .70 it's virtual IP on .69, so it is on the same interface.
I've just one quesion, what is the goal of NAT reflection ? It only work if the wan adresses is not on the same interface ?Thank's you for you advise, have a good day.
-
@yguerchet said in Intervlan ping problem with nat:
what is the goal of NAT reflection
Nat reflection can be done on a vip. But I don't think you could make it work going to public.70 and making it look like it came from public.69
But you should be able to hit public.70 directly and be reflected. Or .69 and be reflected - you just have to set it up. And again - if your fqdn doesn't actually resolve to the .69 or .70 then how could it be reflected, you stated you are resolving to the local IP.
hen my machine pings toto.fr in the network flow is 192.168.2.2 -> 192.168.1.2.
-
@johnpoz said in Intervlan ping problem with nat:
But you should be able to hit public.70 directly and be reflected. Or .69 and be reflected - you just have to set it up. And again - if your fqdn doesn't actually resolve to the .69 or .70 then how could it be reflected, you stated you are resolving to the local IP.
No, i don't resolving with the local IP, when i write : ping toto.fr, i see in the console
PING toto.fr (208.123.73.70) 56(84) bytes of data.So the ip is correctlry resolved but i don't understand why, when i look the network flow with tcpdump or firewall logs, i see a ping through private ip. And i don't understand why
-
@yguerchet said in Intervlan ping problem with nat:
i see a ping through private ip. And i don't understand why
That sure and the hell isn't happening.. There is no freaking way you resolved some fqdn domain from your ping command to a public IP and it sent it to a rfc1918 address.
Please provide your sniff of you doing your ping from your client..
Sorry it just doesn't work that way - it doesn't If you resolved some fqdn to IP address 1.2.3.4 the machine would send traffic to 1.2.3.4, not 5.6.7.8
Maybe you were looking at the reflection, if your not doing NAT+Proxy mode..
-
@johnpoz I can give you screenshoot from multiple tcpdump on different interfaces as soon as possible :)
Thank's for your help -
@yguerchet read my edit - sorry its just not possible... So yeah love to see this sniff of the traffic from the client sending the ping.. What you say is just not possible.
What your prob seeing is the reflection if you sniff on the server your trying to ping, then yeah its going to show the source IP, if your not doing nat+proxy...
Again your doing this the HARD freaking way!! Why? For some misguided undestanding of security concepts.. Your allowing the traffic!! Reflecting it is no more secure then just directly allowing what you want in the first place. If you want A to talk to B, then allow A to talk to B on port X, etc.. Reflecting it sure and the hell doesn't make it any more secure..
-
@johnpoz Ok thank's for you response i understand better :).
When I have time I will do some tests to better understand.
But to summarize our exchange, the simplest and most common is to authorize intervlan communication on the desired ports -
@yguerchet said in Intervlan ping problem with nat:
he simplest and most common is to authorize intervlan communication on the desired ports
Yes... It can be as restrictive as you want... Only this IP talking to that IP on this port, etc. etc. Min required for what your wanting to do..
I for example let my roku's on their vlan talk to plex server on its vlan on port 32400.. Because its a requirement to use my plex, sure not going to relay it or bounce it off my own wan, etc. But the roku stuff can not talk to anything else on my other vlans, etc. Just the plex IP on port 32400.
-
Hi @yguerchet As @johnpoz pointed out, this don't work that way.
Considering you have NAT 1:1 of the DNS A record (I assume that is your target resolution for the DNS query), all you have to do is to "Enable DNS forward" option and configure as shown below;
Host Overrides
Save, Apply and TRY to PING toto.fr from ANY local IP address.
- Make sure your LAN or OPT interfaces allow DNS port 53 "Destination" This firewall (self) between them.
