Getting started with NAT
-
Hi - I'm new to pfSense, and I'm struggling a little to do what I want. Here's hoping there's enough below for some kind soul to help me out...
The problem:
I've got a /28 of public IP addresses, and I want to designate some of them as web servers, some as compute servers etc. Different ports will be open on them all, and internally they all use a multicast network to communicate, but I don't want the multicast traffic getting off the internal network. Basically I want everything blocked apart from specific ports to specific servers.The situation
Right now, all this is sitting behind my Pace modem on AT&T's gigabit service, but ultimately I'll be moving it to a co-lo environment. The goal is to get all the wrinkles sorted out here before moving it over.What I thought I needed
Since I want to only allow specific traffic to specific IP addresses, I was planning on first allowing nothing through, and then using NAT to poke holes and redirect to the correct internal IP as needed. Unfortunately I can't seem to find a way of saying "traffic originally directed towards port X on this public IP should be routed to port Y on internal 10.x.y.z instead.To be clear, I can see the option on the page to specify the original destination, which I do understand ought to be an IP from the WAN range, but whenever I try to put something there, the cursor changes to the 'forbidden' style (sort of like a no-entry sign) and I can't type in.
I thought maybe you had to have already defined the IP addresses that could be selected there, so I tried adding a 'virtual IP' under 'Firewall -> Virtual IP's', but it didn't make any difference, I still can't fill out the field :(
So, am I just "holding it wrong", or is there something else I have to do before that destination field becomes editable, or am I missing the obvious elephant in the room :)
Update
Ok, so I was being stupid :) I was looking at 'WAN address' in the pulldown, and hadn't noticed the virtual IP address at the bottom of the list. I still can't ssh through though.- If I set it to 'WAN address', I can ssh in from the outside world when using the public IP address of the pfSense machine - I get to the target machine on the 10.x,y,z network.
- If I set the destination to the a.b.c.d address (the next IP in the subnet) I have specified as a virtual IP, then I can no longer get to the target machine when trying to ssh to a.b.c.d
-
You want to create a Virtual IP - IP Alias for the public addresses you want pfSense to handle. From there, creating a NAT port forward from the desired VIP to the internal server is usually straightforward. Have you gone through this doc?
https://docs.netgate.com/pfsense/en/latest/nat/port-forward-troubleshooting.html
You said you could connect to one server via the WAN address, so that NAT seems to be working.
-
Sorry for the late reply. My system decided it didn't want to boot on Saturday. I've finally restored the 2TB of my home partition [sigh]
I've created the virtual IP, and created the NAT rule that has destination set to the virtual IP address, and redirect target port set to 10.2.0.1 (the internal IP that my computer has on one of its ethernet ports). I didn't touch 'source'.
So now I can ssh into the public IP on this Mac, but not via the public IP that is the gateway's virtual IP, which is supposed to be routed via the rule. I'm pretty sure the Mac is listening on all interfaces - the netstat -an output looks like:
sh-3.2# netstat -an | grep 22 tcp4 0 0 *.22 *.* LISTEN tcp6 0 0 *.22 *.* LISTEN
.. so it's not just the Mac ignoring connections on the 10.whatever network. I turned off the local-to-the-Mac firewall before trying the ssh command, so it's not that it's getting blocked at the Mac by "Little Snitch" - but every time I try to ssh into the machine via the gateway virtual IP I just get:
ssh: connect to host <host> port 22: Operation timed out
The thing is that I told pfSense to log the filter rule, and I'm not seeing anything in the log about the connection at all. I'm beginning to run out of ideas - I'm sure that this does work, but it's not working for me :(
-
Are you testing from outside your network, or from inside by using the public address? You always want to test your NATs externally.
https://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks
-
Yes :)
The Mac I'm using has 3 networks defined on it
- The 10.a.b.c network that's "internal", behind the pfSense firewall
- The public IP subnet that I have at home
- A VPN to work.
The pfSense box has 2 networks defined on it
- The public IP subnet that I have at home, of which it has 2 IP addresses in use - it's own + a virtual IP address defined as the next one in the subnet.
- The internal 10.a.b.c subnet that it set up.
So I can ssh to work, then attempt to ssh back to either the public IP or the gateway virtual IP. The public IP works, the virtual IP address that the gateway is advertising does not.
From the Mac, I can ping the pfSense firewall:
[Mac-mini:~]% ping 10.1.1.1 PING 10.1.1.1 (10.1.1.1): 56 data bytes 64 bytes from 10.1.1.1: icmp_seq=0 ttl=64 time=0.619 ms 64 bytes from 10.1.1.1: icmp_seq=1 ttl=64 time=0.277 ms
So the network is up. I had disabled the internal firewall ("Little Snitch") on the Mac for testing, and ssh was running on it (verified by ssh-ing to the public IP), so in theory I ought to be able to ssh into it via the virtual IP if routing is working correctly on the pfSense firewall.
Thanks for all the help, btw :)
-
Please post sanitized screens of your VIPs, NAT rules, and WAN rules. Let's see what we're dealing with here.
-
Ok, when I get home :)
-
Ok, so here goes. The Mac is set up to have an IP address on the network "behind" the pfSense firewall of 10.2.0.1...
The pfsense firewall has a virtual IP set up as .140 (it's "normal" IP is .141)
The WAN is configured as:
There is only one NAT rule defined:
Which looks like:
And there is only one firewall rule defined:
Which looks like:
Hope that helps :)
-
AAaaaand never mind.
Something is going on in-between my work machine and the pfsense router.
I have a linux box that only has an IP address within the public subnet IP range. If I ssh to there from the Mac, then ssh from there to the virtual IP address, pfsense is happily transferring me through to the Mac mini, and Wireshark shows the ssh packets on the network interface.
My current theory is that the Pace gateway router that AT&T installed is somehow getting involved, and denying the packets from ever getting to the pfsense router for some reason. I was under the impression that it was operating as a pass-through router, not as a firewall, but that may be wrong. It's possible I have to set it up as a 'cascade router' rather than the 'secondary network' setup it's currently configured for.
Sorry for the waste of bandwidth :( but thanks for all the help :)
-
I was going to next suggest that you packet capture on both WAN and LAN to see if the packets are hitting and where they're going but you figured it out. Glad to hear you've got it sort of working. You want your modem in bridged mode so that it acts like a dumb pipe without any firewalling or NATing. If that isn't possible then you're stuck with double-NAT where you forward ports on both your modem and pfSense. Blech.