Intervlan ping problem with nat

johnpoz

@yguerchet said in Intervlan ping problem with nat:

because intervlan communication doesn't have to take place for security reasons

But you are allowing it, just via some round about way.. I really don't think you could do what your asking. Especially when .69 and .70 reside on the same actual interface.. If they were different interfaces then you could maybe make it happen.. But if .69 and .70 are on the same physical interface - no I don't think you can do it.

Just open a pin hole firewall rule so that 1.2 can talk to 2.2 on or vise versa on the port(s) you want to access.

This is done all the time when something in a dmz segment for example needs to say pull data from a db server or something that does not reside in the dmz segment.

Look at it this way as well, if you have some device in your dmz.. And it is open to the public.. Why would you not allow your lan to talk to it directly through the firewall local network interfaces? Doing some odd ball routing out and then back in sure doesn't change any security.. But it sure makes it a cluster.. And such a cluster sure makes for more likely for some security issue to be overlooked. Nothing saying that you have to open all traffic to and from these segments. Just the traffic that is required for you to do what your trying to do.

yguerchet

@johnpoz Hello, thank's for you response, i didn't know i can't do that if the wan adress it's on the same interface. For information .70 it's virtual IP on .69, so it is on the same interface.
I've just one quesion, what is the goal of NAT reflection ? It only work if the wan adresses is not on the same interface ?

Thank's you for you advise, have a good day.

johnpoz

@yguerchet said in Intervlan ping problem with nat:

what is the goal of NAT reflection

Nat reflection can be done on a vip. But I don't think you could make it work going to public.70 and making it look like it came from public.69

But you should be able to hit public.70 directly and be reflected. Or .69 and be reflected - you just have to set it up. And again - if your fqdn doesn't actually resolve to the .69 or .70 then how could it be reflected, you stated you are resolving to the local IP.

hen my machine pings toto.fr in the network flow is 192.168.2.2 -> 192.168.1.2.

yguerchet

@johnpoz

@johnpoz said in Intervlan ping problem with nat:

But you should be able to hit public.70 directly and be reflected. Or .69 and be reflected - you just have to set it up. And again - if your fqdn doesn't actually resolve to the .69 or .70 then how could it be reflected, you stated you are resolving to the local IP.

No, i don't resolving with the local IP, when i write : ping toto.fr, i see in the console
PING toto.fr (208.123.73.70) 56(84) bytes of data.

So the ip is correctlry resolved but i don't understand why, when i look the network flow with tcpdump or firewall logs, i see a ping through private ip. And i don't understand why

johnpoz

@yguerchet said in Intervlan ping problem with nat:

i see a ping through private ip. And i don't understand why

That sure and the hell isn't happening.. There is no freaking way you resolved some fqdn domain from your ping command to a public IP and it sent it to a rfc1918 address.

Please provide your sniff of you doing your ping from your client..

Sorry it just doesn't work that way - it doesn't If you resolved some fqdn to IP address 1.2.3.4 the machine would send traffic to 1.2.3.4, not 5.6.7.8

Maybe you were looking at the reflection, if your not doing NAT+Proxy mode..

yguerchet

@johnpoz I can give you screenshoot from multiple tcpdump on different interfaces as soon as possible :)
Thank's for your help

johnpoz

@yguerchet read my edit - sorry its just not possible... So yeah love to see this sniff of the traffic from the client sending the ping.. What you say is just not possible.

What your prob seeing is the reflection if you sniff on the server your trying to ping, then yeah its going to show the source IP, if your not doing nat+proxy...

Again your doing this the HARD freaking way!! Why? For some misguided undestanding of security concepts.. Your allowing the traffic!! Reflecting it is no more secure then just directly allowing what you want in the first place. If you want A to talk to B, then allow A to talk to B on port X, etc.. Reflecting it sure and the hell doesn't make it any more secure..

yguerchet

@johnpoz Ok thank's for you response i understand better :).
When I have time I will do some tests to better understand.
But to summarize our exchange, the simplest and most common is to authorize intervlan communication on the desired ports

johnpoz

@yguerchet said in Intervlan ping problem with nat:

he simplest and most common is to authorize intervlan communication on the desired ports

Yes... It can be as restrictive as you want... Only this IP talking to that IP on this port, etc. etc. Min required for what your wanting to do..

I for example let my roku's on their vlan talk to plex server on its vlan on port 32400.. Because its a requirement to use my plex, sure not going to relay it or bounce it off my own wan, etc. But the roku stuff can not talk to anything else on my other vlans, etc. Just the plex IP on port 32400.

mytsuu

Hi @yguerchet As @johnpoz pointed out, this don't work that way.

Considering you have NAT 1:1 of the DNS A record (I assume that is your target resolution for the DNS query), all you have to do is to "Enable DNS forward" option and configure as shown below;

Host Overrides

Screen Shot 2022-04-04 at 11.29.33.png

Save, Apply and TRY to PING toto.fr from ANY local IP address.

Make sure your LAN or OPT interfaces allow DNS port 53 "Destination" This firewall (self) between them.