Nat Alias (Dlink to pfSense)



  • Hi, i try to find this question in this forum and on internet, but i cant find a solution..

    This is the office setup:

    Modem > Cisco Pix 501 > Router DLink LB-LI605 > Switch > LAN

    Notes:

    • I have a static public ip
    • Pix provide a VPN with one of our client (over internet) (this vpn is setup and mantained from our isp), no rules for inbound or outbound
    • Router used as a firewall too. I want the control of the inbound (not my isp), and is the gateway of my lan
    • LAN is like two, some pc's have access to the client vpn and internet, others only access internet

    The way i decided if a workstation can access client vpn is make a nat alias in router like you see:

    http://www.support.dlink.com/emulators/dilb604/nat.htm (set nat alias button).

    This is necessary for a request from my isp, because my client has the same ip's, the say to me…

    My lan is 192.168.0.x and the nat alias is 10.10.2.x.

    So, when the WS ask an ip of my client, the pix receive the alias ip (router has the alias), and send the traffic to the vpn

    Problem:

    """ Only have one of this, not two at the same time, vpn or remote desktop """

    • When i set an alias in router, has a checkbox that say "Allow Inbound" (not see in the emulator)
    • I want to give to our developers, remote desktop to work from home (with vpn to the client and my lan)
    • If uncheck that, i can go to vpn without problem but cannot connect with remote desktop
    • If i check, loose vpn but connect remote desktop without problem

    and too:

    • Only has 16 aliases, and i need more right now
    • Make a cheap router as firewall is not a good decision, so i been evaluate pfsense (great product)

    So, the questions are so many :)   :

    • Can i with pfsense, make that nat alias? How?
    • pfSense allow me, have that two functions, vpn with remote desktop?
    • If i use with pfSense, OpenVPN, still have vpn with my office, remote desktop and vpn with my client?

    Ok, i know is too much, but i guess is not a big problem for you and your knowledge.
    Perhaps my mistake is from analysis, and the solution is other and simple...., dont know...

    Thanks in Advance..

    Federico.
    Argentina.



  • Please, if i ask some obvious question, please let me know.

    Only if you can, give me a hint, to look in this forum or internet with your help.

    Regards.

    Federico.



  • Okay, this is really simple with pfSense … create a firewall rule that block unwanted traffic to your VPN ... You can even create alias (Firewall -> Alias), that will include all workstation you want or don't want...

    Let say you want to allow 12 workstations our of more than 100 to the VPN ... You create an alias called GoodWorkstation and you put all the IP address of the 12 workstation allowed.

    You create a pass rule for the traffic to the VPN using that alias and right after that your create a deny rule for everything...

    You will have to uncheck the option in pfSense that say to reject private ip range (Interface -> WAN -> Block private networks)

    When your workstation will ask for an address of the VPN the firewall will check the rules and let it pass to the PIX and it will make its job. If pfSense reject the traffic, then nothing will pass...

    I really don't know if I answered your question, I hope so...

    MageMinds



  • I think I understand a little bit more … But I need more information what are ALL the ip address

    You have a static owned by the PIX...
    What is the subnet of your client on the other side of the VPN?
    What is your LAN subnet?
    What is the WAN IP Address of your DLink soon to be pfSense?

    How your workstation try to access resources that are the other side of the VPN?
    How their (your client) workstation try to access resources that are on YOUR LAN?

    I think your answer might be the NAT 1:1.

    Let's say your VPN is 10.10.2.x your LAN is 192.168.0.x you want workstations from 192.168.0.50 to 60 to have a NAT to 10.10.2.50 to 60, if your looking for that it's NAT 1:1 that will do the job. That will result in anybody trying to access the IP address 10.10.2.50 on your client network will end up connecting to the workstation having the address 192.168.0.50.

    You still need to have a firewall rule to prevent your other workstations on your subnet to access resources on the VPN.



  • MageMinds, thanks for your reply.

    I give you the answer to your question:

    You have a static owned by the PIX…

    Yes. I have more than one, but for my problem, i have a public static ip, and the pix have a lan ip 192.168.2.254, that is the gateway of my router.

    What is the subnet of your client on the other side of the VPN?

    Dont know. All the work in this thing, is done by my ISP with my client, i only make the nat alias, nothing else. The servers in the other side is 180.166.40.x

    What is your LAN subnet?

    My lan is 192.168.0.x and subnet 255.255.255.0

    What is the WAN IP Address of your DLink soon to be pfSense?

    192.168.2.253 (i ask my isp, to give me another of this, like 192.168.2.251, to test pfsense since the other router still alive, after be replace with pfsense)

    How your workstation try to access resources that are the other side of the VPN?

    For us is really easy, just put an ip of my client (180.166.x.x), and access. The workstation, have as gateway 192.168.0.50 (my dlink router). The router on wan have the ip 192.168.2.253 and gateway 192.168.2.254 (the pix).

    How their (your client) workstation try to access resources that are on YOUR LAN?

    Is a vpn to one way. We access resources of them, not inverse.

    I read your first post, but i dont understand something, how can i make a rule for vpn, if pfsense dont know what is that vpn? is this correct?

    Thanks for your time and your answer.



  • As I see it you're missing a bit of knowledge in networking … VPN is a bidirectional thing ... To create a firewall rule, you have to block access to IP address 180.166.xxx.xxx in pfSense ... pfSense might not be aware there is a VPN, just forget about the VPN for the moment ... all you want to do is control the access to your clients from your LAN Workstation right?

    Since no one on the other side (your clients) connect to you you don't need any port forward or alias NAT.

    Okay well have to make some test to know how the PIX handle traffic directed to your clients...

    Configure pfSense, just normally, no special configuration and make sure you can access the Internet. Then try to access one of your client computer, does it work?

    If yes, then you have nothing to do with NAT 1:1 you don't need to "fool" the PIX in thinking you're in fact 10.10.2.x to access the VPN. Then all you need to do is restrict access to 180.166.xxx.xxx to specific workstation and you're good to go.

    If no, then the PIX have a rule that only 10.10.2.x can go through the VPN, then you need to configure NAT 1:1 that is basically a hard NAT with IP address 10.10.2.x to 192.168.0.x so when the computer having the ip address of 192.168.0.x is trying to pass through the router on the other side it's IP address will be 10.10.2.x instead of the IP address of the WAN ... For this your have to configure virtual IP address for your WAN.

    MageMinds



  • MageMinds, thanks again for your time.

    As I see it you're missing a bit of knowledge in networking … VPN is a bidirectional thing ... To create a firewall rule, you have to block access to IP address 180.166.xxx.xxx in pfSense ... pfSense might not be aware there is a VPN, just forget about the VPN for the moment ... all you want to do is control the access to your clients from your LAN Workstation right?

    Right, if i forgot vpn, all i want to do is control the outbound of my lan worksation to the VPN client, yes. Is true that if i want to block the inverse, i have to set a rule to that range of ip's (180.166.).

    I guess i dont express clearly when i say "Is a vpn to one way". Only describe the use of vpn, not the concept of a VPN. Sorry for that mistake.

    Since no one on the other side (your clients) connect to you you don't need any port forward or alias NAT.

    Yes. That is right.

    Okay well have to make some test to know how the PIX handle traffic directed to your clients…

    Configure pfSense, just normally, no special configuration and make sure you can access the Internet.

    Works. I put as gateway pfSense and i get internet.

    Then try to access one of your client computer, does it work?

    Not. Cannot access an ip of my client.

    If yes, then you have nothing to do with NAT 1:1 you don't need to "fool" the PIX in thinking you're in fact 10.10.2.x to access the VPN. Then all you need to do is restrict access to 180.166.xxx.xxx to specific workstation and you're good to go.

    :(  (Not work)

    If no, then the PIX have a rule that only 10.10.2.x can go through the VPN, then you need to configure NAT 1:1 that is basically a hard NAT with IP address 10.10.2.x to 192.168.0.x so when the computer having the ip address of 192.168.0.x is trying to pass through the router on the other side it's IP address will be 10.10.2.x instead of the IP address of the WAN … For this your have to configure virtual IP address for your WAN.

    Ok, i try that. And give (i hope) with the result.

    Thanks, many thanks for your time, answer and knowledge.

    Regards.

    Federico
    Argentina



  • Status Update.

    MageMinds, now i have two situations:

    1. I make a wrong setup with your instructions with nat 1:1
    2. the pix not resolve the alias

    I guess the situation 1 is the correct

    I have internet, everything is fine. But, my last problem, is not working the access to my client.

    I tell what i do, so if i do wrong, please tell me:

    a. Firewall: NAT: 1:1: Edit
    b. Interface = WAN
    c. External subnet = 10.10.2.0/24
    d. Internal subnet = 192.168.0.0

    **WAN  10.10.2.0/24  192.168.0.0/24  NAT **

    Status: with this not work, if i go to 180.166.x.x, give me a error 404 not found

    In NAT 1:1 is a note that says what you say "Depending on the way your WAN connection is setup, you may also need a Virtual IP.". So, i go to virtual ip, and here have a problem, what virtual ip i configure?

    My worksation: 192.168.0.34
    My workstation gateway: 192.168.0.150 (pfsense lan)
    pfsense wan: 192.168.2.252 static - gateway 192.168.2.254 (pix)

    I read post's to understand a little more, and i confused. I set a virtual ip with 192.168.0.34 in WAN? is correct? What ip must use to configure the virtual ip? and then, type? ARP, CARP, OTHER?
    A few post says "Mapped the public ip's to the virtual ip's", but is other thing that not understand, is outbound?

    In NAT outbound, i have two rules:

    WAN 192.168.3.0/24  *  *  *  *  *  NO OpenVPN 
    WAN 192.168.0.0/24 * * * * * NO Auto created rule for LAN

    This is what referer with map the public ip?

    **I know i abuse of your time and patiente, but if you can, could you give me a "stupid" (like me) step to step, to configure what you say please?

    You right, i miss knowledge of networking, and plus, of pfsense, but i read and try and try if someone give me a clue of the direction and way of solution.**

    Thanks again and again for your time.

    Regards.

    PD: If you travel to Argentina some time, i invite you with an "asado" from my country :), you never forget !!!



  • I never tried any of the two function you will use, but I understand the concept behind both, if it doesn't work, we will learn something new :-)

    Okay first of all in the Virtual IP, you will add

    Type: Proxy ARP
    IP Address(es): Network / 10.10.2.0/24

    Save and apply.

    Okay in the NAT 1:1 then you will add

    Interface: WAN
    External subnet: 10.10.2.0/24
    Internal subnet: 192.168.0.0

    –-----
    This should nat every 192.168.0.0 to a respective 10.10.2.0, the PIX will then thing it's 10.10.2.x that is trying to connect to the Internet or the VPN instead of the WAN IP address of the router.

    If you want to restrict access to your workstation I would recommend to use a narrower range for the NAT 1:1, so Instead of using /24 you could use /27 which will give you 192.168.0.1 - 192.168.0.30 Then set your DHCP server in the range of 192.168.0.100 - 192.168.0.200. This is obviously not the greatest security you can have, since anybody can change it's IP address to the correct range and have access to the VPN. You can control this using GPO on your Windows domain (assuming you have a Windows domain).

    OR you can in the NAT 1:1 set every IP address one by one, that way you can have nat on a non sequential and case by case basis.

    I have attached to screenshoot of what Virtual IP and NAT 1:1 should look like for your configuration.

    Keep in mind that a /24 in NAT 1:1 will probably allow ALL workstations that have an IP address 192.168.0.x to have access to the VPN. You might want to use what I show you in the picture pfNAT11-solution2.jpg, you'll have to create one NAT1:1 for each workstation as I talked earlier.

    The way I see it the PIX only allow 10.10.2.0/24 to be routed into the VPN any other address just pass right through.

    MageMinds








  • Status Finally (i guess)

    MageMinds:

    I read your answer very carefully and follow every step you say (thanks)… but not work !!!! :):):):)

    Ok, works, but with a little modification. I do what you say with the virtual ip, but with nat 1:1, dont work vpn, only works with nat outbound.

    Make a virtual ip 10.10.2.0/24, and a rule to nat outbound, and it works...

    Will make note of your suggest, to control more the nat rules of  my lan...

    I never find the solution without your help, thank for your knowdledge and even more, your patience...

    Thanks



  • You're welcome! I'm happy I could help!

    I understand more now … The NAT 1:1 would allow incoming traffic to be directed to your workstation and outbound nat to actually make your workstation use (be) that virtual ip, that makes sense!

    Let's say you have a webserver and have a dedicated ip address for that, you would use NAT 1:1 and traffic comming to that dedicated ip address would be directed completely to the web server, maybe the NAT connection track will make the response packet comming from the dedicated ip address, but if your webserver is trying to access the Internet by it's own it would appear to be using the other WAN ip address, not the virtual one, unless you setup an outbound nat rule. That totally makes sense, I told you we would learn something new :-)

    MageMinds



  • That's only partially true.
    You can force traffic from specific clients out a VIP with AoN rules.

    But 1:1 NAT is bidirectional. Meaning if you use a VIP in the 1:1 NAT rule you dont need additionally a AoN rule to force it out the VIP
    –> This already happens automatically. Otherwise it wouldnt be 1:1 NAT.

    If you use normal NAT forwardings from a VIP, you need AoN rules for outbound traffic if you want it to appear from the VIP.


Log in to reply