First configuration : NAT

Freyja

As an addition, I think there were some misunderstanding somewhere.
I'm not using any VIP, I'm using only interface IP and I do not see anywhere how to configure ARP

johnpoz

@freyja said in First configuration : NAT:

I'm not using any VIP

Then why in the world would you think some interface would answer an arp request, when it doesn't have that IP on it..

If you want pfsense to answer arp for an IP that is not assigned to the interface - it needs a vip, if you want it to answer arp for every IP in a cidr then setup a proxy arp vip.

https://docs.netgate.com/pfsense/en/latest/firewall/virtual-ip-addresses.html#proxy-arp

Where you could have an ISSUE - which I thought I went over with already. Is if you have pfsense arp for any IP in /X - if you have some device on the network with an IP. Which arp is your client looking for IP abc going to see first - the actual client, or pfsense vip?

Freyja

@johnpoz oh ok.

I thought NAT 1:1 would have been enough.

So let me rephrase.
If I setup a NAT 1:1 for an IP like this :

• external (DMZ): 10.10.12.246
• internal (LAN): 10.10.10.246

I have also to setup a VIP (10.10.12.246) in DMZ for the firewall?

Am I right there?

johnpoz

No if pfsense dmz interface IP is 10.10.12.246 it would answer arp for its own address.. You need a vip when you want pfsense to answer arps for IPs that are not assigned to its own interface in that L2.

if you want pfsense to answer arp for 10.10.12.242 for example - then you would need a vip for that IP.

Freyja

@johnpoz No, the firewall is on 10.10.12.254.
I get it now, completely missed that part for proxy-arp as cisco pix do it natively, I thought setting up the NAT would be enough.
And I do understand the concern now as it's not possible to setup a range for VIP.
I will make some test.

Thanks for the answer.

Freyja

@johnpoz ok it works now that I added VIP for all the IP I need.
Thanks for helping.

johnpoz

Your welcome - still no point in doing this. It provides nothing but complexity, not any added security.

Freyja

@johnpoz let's agree to disagree

KOM

@freyja You consistently refuse to say what you're doing despite being asked several times. You told me that there were "plenty of reasons" to do what you're doing, and when I asked you to name even one (because neither John nor I could think of even one case that makes sense), you ducked yet again. At this point I'm going to stop asking and just assume it's something illegal.

Freyja

@kom you're kidding right?

I said from the beginning that I wanted to replicate the configuration I had with my pix as the netgate act a replacement.

All my configuration is based on that and despite the fact you disagree, I want to mask my internal network for things such honeypot for example.

It's not because you do not understand the usefulness of what I want it's illegal.

And such a supposition is quite surprising.

I said what I wanted to do, you just don't listen.

1- reproduce what I had before just not to have to reconfigure everything
2- mask my internal network because I don't want people to be aware of it.

But still you're pushing over and over because it sounds overcomplicated for you but at the very end it's my problem if it's overcomplicated, right?

I've never seen such aggressive people about simple tech questions, really I don't understand what you are trying to do there.

I've started eluding your queries because I had answered them and didn't want to go in an argument fight and having to justify my setup.

You make me feel I want to pack back my netgate and return it.

I've worked with Cisco, Nokia, McAfee, checkpoint firewall and never seen such agresisvity from a tech community.

I'm starting feeling your are acting like that because you've seen I'm a girl and think I don't know what I'm doing.
Don't make me think it's just a misogynistic behavior.

That's said, I'm not doing anything illegal, i just wanted to reproduce my Pix configuration to simplify my life and don't have to reconfigure every service I'm using and that's all.

Regards.

KOM

@freyja

I said from the beginning that I wanted to replicate the configuration I had with my pix as the netgate act a replacement.

That isn't an explanation for the reasoning behind the method. I understood you wanted to make it the same as what you had before. That's not hard to understand. The question was 'why do you want it that way?' What problem does this solve? That's all.

All my configuration is based on that and despite the fact you disagree, I want to mask my internal network for things such honeypot for example.

I don't necessarily disagree when I don't know all the details. That's why I was asking. You said earlier that you wanted to mask your network but I didn't understand the context nor did John. Usually a DMZ is completely isolated from LAN which is its entire point, and any required access is strictly controlled via rules. It's unusual to have a DMZ that needs to talk to LAN so much.

It's not because you do not understand the usefulness of what I want it's illegal.

I'll definitely admit that I don't see the usefulness of what you're doing.

And such a supposition is quite surprising.
I said what I wanted to do, you just don't listen.

No, you said things like 'mask my network' and 'several reasons' but you never actually gave any specifics. Two of us were confused so you weren't as clear as you think.

1- reproduce what I had before just not to have to reconfigure everything
2- mask my internal network because I don't want people to be aware of it.

Got it. I don't know how that would help you though. Yes, I understand that you are going to keep it this way and I have no problem with that. I'm just curious. How would people who interact with your DMZ be aware of what's on your LAN? Someone who cracks one of your DMZ servers will see what it's talking to and try to exploit that regardless of its DMZ vs LAN IP address.

But still you're pushing over and over because it sounds overcomplicated for you but at the very end it's my problem if it's overcomplicated, right?

It doesn't sound overcomplicated. It sounded like it didn't make any sense. I was asking for details because I thought I was missing something.

I've never seen such aggressive people about simple tech questions, really I don't understand what you are trying to do there.

Every single day here, new users decide to do something using an incorrect or sub-optimal method and then they ask specific questions in order to reach their bad end instead of asking for the best way to do something using pfSense. I thought that is what you were doing so I asked questions trying to determine what problem you needed to solve.

I've started eluding your queries because I had answered them and didn't want to go in an argument fight and having to justify my setup.
You make me feel I want to pack back my netgate and return it.

This has nothing to do with Netgate.

I've worked with Cisco, Nokia, McAfee, checkpoint firewall and never seen such agresisvity from a tech community.
I'm starting feeling your are acting like that because you've seen I'm a girl and think I don't know what I'm doing.
Don't make me think it's just a misogynistic behavior.

How would I know you're a woman, and why would that matter?? My entire knowledge of you is from this one thread.

That's said, I'm not doing anything illegal, i just wanted to reproduce my Pix configuration to simplify my life and don't have to reconfigure every service I'm using and that's all.

Understood. Thank you for making it clearer for me. I think this has been one big misunderstanding and I will not trouble you again.