NAT to set SSH proxy on local LAN between 2 subnets

nadigo

Hi,

I have testing environment, I need to proxy for ssh traffic on LAN.
I need to set nat rule so when from (10.0.0.1) I will ssh to (10.0.1.200 22), traffic will actually go to (10.0.0.123 2222) which is my ssh proxy server that will then ssh to the original host (10.0.1.200 22) without nat,
traffic needs to get back on the same path, from the original ssh server (10.0.1.200) to the proxy (10.0.0.123) and then to (10.0.0.1)

traffic is sequence is:

10.0.0.1 –> 10.0.1.200 22 --(nat to)--> 10.0.0.123 2222
10.0.0.123 --(no nat) --> 10.0.1.200 2222

return
10.0.1.200 --(no nat)--> 10.0.0.123
10.0.0.123 --(nat return) --> 10.0.0.1

I added a virtual IP for the LAN interface so routing from 10.0.0.1 to 10.0.1.200 is going via the pfsense

traceroute to 10.0.1.200 (10.0.1.200), 64 hops max, 52 byte packets
1  10.0.0.254 (10.0.0.254)  0.489 ms  0.409 ms  0.258 ms
2  10.0.1.200 (10.0.1.200)  0.364 ms  0.508 ms  0.500 ms

but the nat rule I set is not working, I suspect it is not working on the return traffic from 10.0.0.123 --> 10.0.0.1 but I am not sure

this is my rule - https://www.dropbox.com/s/k5yjc0zns5q9xwh/Screen%20Shot%202014-11-25%20at%2011.05.54%20PM.png?dl=0

any advise ?

thx
nadav

muswellhillbilly

From what you've said about this, it seems you're trying to NAT traffic from an internal address via your firewall to another internal address (10.0.0.1 -> NAT -> 10.0.0.123). This is going to cause a routing problem, as you're NATing from internal to internal. You say that your 10.0.0.123 host can redirect to 10.0.1.200 without NAT - yet they're on different address ranges (I assume you're using a class C netmask, though you don't actually state this).

You don't need NAT if you're passing traffic from one local host to another host. I can't quite see what you're trying to achieve, though perhaps a more detailed description of your network (with net masks, routes) and what you're aiming to ultimately do would be helpful.

nadigo

you are right muswellhillbilly, the subnets are class c / 24

my network is

WAN
|
      pfsense

LAN - physical IP (10.0.0.254 / 24) + virtual IP (10.0.1.254 / 24)

/
        /  \

10.0.0.123 10.0.1.200

I am trying to have the outgoing ssh connection go via proxy server
so even that the IP that was typed is one that is reachable via the router route it will be shaped to a different IP and port 
so when typing 10.0.1.200 (from 10.0.0.1), the route needs to go via the psfense router (10.0.0.254) that normally only needs to route it to the other virtual IP of the LAN (10.0.1.254)
but what I need it that the pfsense will NAT this connection, and will send it to 10.0.0.123 port 2222 (and not directly to 10.0.1.200 port 22)

hope this is more clear

muswellhillbilly

Once more I'll say again that I can't see why you're NATing from one local address to another local address. You can just point your 10.0.0.1 host directly to 10.0.0.123:2222 and have the 10.0.0.123 host proxy/forward the request to 10.0.1.200. You don't need NAT at all if your simply directing traffic from one local address to another.

nadigo

i need that the user will type 'ssh root@10.0.1.200' … so that the proxy will be transparent