1:1 NAT Troubles - return traffic issue
-
I'm having an issue configuring a 1:1 NAT. I have an ESXi host that has a DMZ interface with 1.2.3.0/24 for the WAN, and using 192.168.10.0/24 for the LAN. I am running pfSense on this host.
WAN: 1.2.3.20
LAN: 192.168.10.1Ultimately, I am trying to configure a 1:1 NAT, so that 1.2.3.21 -> 192.168.10.21. Seems simple enough.
I went to the 1:1 NAT page and set:
Interface: WAN
External Subnet IP: 1.2.3.21
Internal IP: Single host, 192.168.10.21When I do this, if I try to reach 1.2.3.21:443 from the outside (let's call my source ip 2.3.4.5), I see the traffic reaching the 192.168.10.21 host in a tcpdump on that hose, and responding back to 2.3.4.5. Problem is, I never see the return packet to 2.3.4.5 hit the pfSense - in fact, i don't see any traffic from 192.168.10.21 hit the pfsense, so it seems like it doesn't know how to get back to pfsense to send it back to me.
Maybe I am missing a route of some sort? What am I doing wrong here?
-
@bdf0506 192.168.10.21 default gateway points to?
-
192.168.10.21 points to 192.168.10.254. I'm guessing I need it to point to pfsense lan address, but if I do that, it presents a whole new problem, as I don't control the gateway - a third party does, and I can't modify the gateway that is being used and I really can't mess with those routes.
I'll have to play around with this if you believe that is the issue.
-
@bdf0506 I don't think. I'm sure. You need to have default gateway pointing to pf.
Or make 192.168.10.254 forward all traffic to pf.
-
Got it. Thanks for keeping me in check on this. I don't this this setup will work given my arch.
-
@netblues here's the full use case, let's see if you can help me come to a solution - any help is much appreciated.
On a network that I do not manage, and can't make any modifications to, I've been given 2 ESXi hosts. Each ESXi has two port groups available - one is the DMZ network in 1.2.3.0/24 and the other is the internal network 192.168.10.0/24. The ESXi hosts are IP'd in the 192.168.10.0/24 subnet and ESXi 1 is 192.168.10.11, ESXi 2 is 192.168.10.12, and the GW for this network is 192.168.10.254.
While I can simply use the 1.2.3.0/24 DMZ for the host IPs, I will have no control on the traffic that is coming into these hosts, as I'd like to apply firewall rules and see activity to the hosts.
I would rather IP my hosts in 192.168.10.0/24, and run a 1:1 NAT from the DMZ to the internal hosts. I gave the WAN interface of pfSense 1.2.3.20 (which is connected to the DMZ port group), and gave the LAN interface 192.168.10.1 (which is connected to the management network port group). As mentioned before, I can't adjust the gateway of the hosts, so the hosts will have to run through 192.168.10.254. I think without being able to modify the gateway, there's nothing I can really do.
I thought of creating an internal only subnet to use, but I won't be able to share that subnet between both ESXi hosts, and also other hosts outside this network won't ever be able to find this subnet since the rest of the network doesn't know about this private network. I also thought about carving out part of the 192.168.10.0/24 network for use as well, but there would be too many other routing issues.
Any other ideas that could solve this? Thanks for the help.
-
@bdf0506 said in 1:1 NAT Troubles - return traffic issue:
@netblues here's the full use case, let's see if you can help me come to a solution - any help is much appreciated.
I've been given 2 ESXi hosts.
Any other ideas that could solve this? Thanks for the help.Does this mean that you are administering the guest hosts? You are root/administrator and can make changes on the guest os settings?
-
@netblues yes, that is correct. I have full root access to the ESXi host and the guest hosts as well on the ESXi. I just don’t have access to make any network changes outside of what is available to me outside of ESXi.
-
Now I'm confused.
You have two guest hosts on esxi, one of them being the pf.
And you have full admin access on the guests.
So you can change the default gw on host1 to point to pf lan on host2.
I suspect these two are on the same bridge or other common interface.As for the rest of the network, you can route eg all rfc1918 ip space to original default gw and keep everybody at bay.
Perhaps I'm missing something here. Please elaborate.