NAT 1:1 & Squid



  • NAT 1:1 doesn't seem to work properly when using Squid forward proxying. With 1:1 set up & browsing to whatismyip.com directly (no Squid), it correctly shows the external IP address set up for the client LAN IP address with NAT 1:1. However, when browsing through Squid, it shows the IP address of the pfSense device external interface. Squid seems to be breaking NAT 1:1, which I believe may be affecting me in a more complex scenario I'm having trouble with (with a web server behind the firewall on the same LAN subnet as a requesting client not being accessible, but requests from outside the subnet working properly), but I'm asking this simpler question first.

    NAT Reflection mode = PureNAT
    Enable NAT Reflection for 1:1 NAT = checked
    Enable automatic outbound NAT for Reflection = checked

    Here's my /tmp/rules.debug:

    
    set optimization normal
    set limit states 200000
    set limit src-nodes 200000
    
    #System aliases
    
    loopback = "{ lo0 }"
    WAN = "{ pppoe0 }"
    LAN = "{ igb1 }"
    MODEMACCESS = "{ igb0 }"
    
    #SSH Lockout Table
    table <sshlockout>persist
    table <webconfiguratorlockout>persist
    #Snort tables
    table <snort2c>table <virusprot>table <bogons>persist file "/etc/bogons"
    table <negate_networks># User Aliases 
    
    # Gateways
    GWWAN_PPPOE = " route-to ( pppoe0 xxx.xxx.xxx.207 ) "
    
    set loginterface igb1
    
    set skip on pfsync0
    
    scrub on $WAN all    fragment reassemble
    scrub on $LAN all    fragment reassemble
    scrub on $MODEMACCESS all    fragment reassemble
    
    no nat proto carp
    no rdr proto carp
    nat-anchor "natearly/*"
    nat-anchor "natrules/*"
    
    binat on pppoe0 from 192.168.1.3 to any -> xxx.xxx.xxx.171
    binat on pppoe0 from 192.168.1.1 to any -> xxx.xxx.xxx.169
    
    # Outbound NAT rules (manual)
    nat on $WAN  from 192.168.1.1/32 to any -> xxx.xxx.xxx.169/32 port 1024:65535  
    nat on $WAN  from 192.168.1.3/32 to any -> xxx.xxx.xxx.171/32 port 1024:65535  
    nat on $MODEMACCESS  from 192.168.1.0/24 to 10.0.0.0/24 -> 10.0.0.200/32 port 1024:65535  
    
    # Outbound NAT rules (automatic)
    
    # Subnets to NAT 
    tonatsubnets	= "{ 127.0.0.0/8 192.168.1.0/24 10.0.0.200/32 }"
    nat on $WAN  from $tonatsubnets to any port 500 -> xxx.xxx.xxx.174/32  static-port
    nat on $WAN  from $tonatsubnets to any -> xxx.xxx.xxx.174/32 port 1024:65535  
    
    # Load balancing anchor
    rdr-anchor "relayd/*"
    # TFTP proxy
    rdr-anchor "tftp-proxy/*"
    # UPnPd rdr anchor
    rdr-anchor "miniupnpd"
    
    # Reflection redirects and NAT for 1:1 mappings
    rdr on { igb1 igb0 } from any to xxx.xxx.xxx.171 -> 192.168.1.3 bitmask
    no nat on igb1 from igb1 to 192.168.1.3
    nat on igb1 from 192.168.1.0/24 to 192.168.1.3 -> 192.168.1.254 port 1024:65535
    
    rdr on { igb1 igb0 } from any to xxx.xxx.xxx.169 -> 192.168.1.1 bitmask
    no nat on igb1 from igb1 to 192.168.1.1
    nat on igb1 from 192.168.1.0/24 to 192.168.1.1 -> 192.168.1.254 port 1024:65535
    
    anchor "relayd/*"
    anchor "openvpn/*"
    anchor "ipsec/*"
    # Allow IPv6 on loopback
    pass in  quick on $loopback inet6 all tracker 1000000001 label "pass IPv6 loopback"
    pass out  quick on $loopback inet6 all tracker 1000000002 label "pass IPv6 loopback"
    # Block all IPv6
    block in log quick inet6 all tracker 1000000003 label "Block all IPv6"
    block out log quick inet6 all tracker 1000000004 label "Block all IPv6"
    # block IPv4 link-local. Per RFC 3927, link local "MUST NOT" be forwarded by a routing device,
    # and clients "MUST NOT" send such packets to a router. FreeBSD won't route 169.254./16, but
    # route-to can override that, causing problems such as in redmine #2073
    block in log quick from xxx.xxx.xxx.0/16 to any tracker 1000000101 label "Block IPv4 link-local"
    block in log quick from any to xxx.xxx.xxx.0/16 tracker 1000000102 label "Block IPv4 link-local"
    #---------------------------------------------------------------------------
    # default deny rules
    #---------------------------------------------------------------------------
    block in log inet all tracker 1000000103 label "Default deny rule IPv4"
    block out log inet all tracker 1000000104 label "Default deny rule IPv4"
    block in log inet6 all tracker 1000000105 label "Default deny rule IPv6"
    block out log inet6 all tracker 1000000106 label "Default deny rule IPv6"
    
    # IPv6 ICMP is not auxilary, it is required for operation
    # See man icmp6(4)
    # 1    unreach         Destination unreachable
    # 2    toobig          Packet too big
    # 128  echoreq         Echo service request
    # 129  echorep         Echo service reply
    # 133  routersol       Router solicitation
    # 134  routeradv       Router advertisement
    # 135  neighbrsol      Neighbor solicitation
    # 136  neighbradv      Neighbor advertisement
    pass  quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} tracker 1000000107 keep state
    
    # Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep)
    pass out  quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} tracker 1000000108 keep state
    pass out  quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} tracker 1000000109 keep state
    pass in  quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} tracker 1000000110 keep state
    pass in  quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} tracker 1000000111 keep state
    pass in  quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} tracker 1000000112 keep state
    
    # We use the mighty pf, we cannot be fooled.
    block log quick inet proto { tcp, udp } from any port = 0 to any tracker 1000000113 label "Block traffic from port 0"
    block log quick inet proto { tcp, udp } from any to any port = 0 tracker 1000000114 label "Block traffic to port 0"
    block log quick inet6 proto { tcp, udp } from any port = 0 to any tracker 1000000115 label "Block traffic from port 0"
    block log quick inet6 proto { tcp, udp } from any to any port = 0 tracker 1000000116 label "Block traffic to port 0"
    
    # Snort package
    block log quick from <snort2c>to any tracker 1000000117 label "Block snort2c hosts"
    block log quick from any to <snort2c>tracker 1000000118 label "Block snort2c hosts"
    block in log quick proto carp from (self) to any tracker 1000000201
    pass  quick proto carp tracker 1000000202 no state
    
    # SSH lockout
    block in log quick proto tcp from <sshlockout>to (self) port 22 tracker 1000000301 label "sshlockout"
    
    # webConfigurator lockout
    block in log quick proto tcp from <webconfiguratorlockout>to (self) port 443 tracker 1000000351 label "webConfiguratorlockout"
    block in log quick from <virusprot>to any tracker 1000000400 label "virusprot overload table"
    antispoof log for $WAN tracker 1000001570
    antispoof log for $LAN tracker 1000002620
    # allow access to DHCPv6 server on LAN
    # We need inet6 icmp for stateless autoconfig and dhcpv6
    pass  quick on $LAN inet6 proto udp from fe80::/10 to fe80::/10 port = 546 tracker 1000002651 label "allow access to DHCPv6 server"
    pass  quick on $LAN inet6 proto udp from fe80::/10 to ff02::/16 port = 546 tracker 1000002652 label "allow access to DHCPv6 server"
    pass  quick on $LAN inet6 proto udp from fe80::/10 to ff02::/16 port = 547 tracker 1000002653 label "allow access to DHCPv6 server"
    pass  quick on $LAN inet6 proto udp from ff02::/16 to fe80::/10 port = 547 tracker 1000002654 label "allow access to DHCPv6 server"
    antispoof log for $MODEMACCESS tracker 1000003670
    
    # loopback
    pass in  on $loopback inet all tracker 1000003711 label "pass IPv4 loopback"
    pass out  on $loopback inet all tracker 1000003712 label "pass IPv4 loopback"
    pass in  on $loopback inet6 all tracker 1000003713 label "pass IPv6 loopback"
    pass out  on $loopback inet6 all tracker 1000003714 label "pass IPv6 loopback"
    # let out anything from the firewall host itself and decrypted IPsec traffic
    pass out  inet all keep state allow-opts tracker 1000003715 label "let out anything IPv4 from firewall host itself"
    pass out  inet6 all keep state allow-opts tracker 1000003716 label "let out anything IPv6 from firewall host itself"
    pass out  route-to ( pppoe0 xxx.xxx.xxx.207 ) from xxx.xxx.xxx.174 to !xxx.xxx.xxx.174/32 tracker 1000003811 keep state allow-opts label "let out anything from firewall host itself"
    pass out  route-to ( pppoe0 xxx.xxx.xxx.207 ) from xxx.xxx.xxx.169 to !xxx.xxx.xxx.169/32 tracker 1000003812 keep state allow-opts label "let out anything from firewall host itself"
    pass out  route-to ( pppoe0 xxx.xxx.xxx.207 ) from xxx.xxx.xxx.171 to !xxx.xxx.xxx.171/32 tracker 1000003813 keep state allow-opts label "let out anything from firewall host itself"
    # make sure the user cannot lock himself out of the webConfigurator or SSH
    pass in  quick on igb1 proto tcp from any to (igb1) port { 443 22 } tracker 10000 keep state label "anti-lockout rule"
    
    # User-defined rules follow
    
    anchor "userrules/*"
    pass  in  quick  on $WAN reply-to ( pppoe0 xxx.xxx.xxx.207 ) inet proto tcp  from any to 192.168.1.3 port 465 tracker 1494017138 flags S/SA keep state  label "USER_RULE: lucifer smtp/s"
    pass  in  quick  on $WAN reply-to ( pppoe0 xxx.xxx.xxx.207 ) inet proto tcp  from any to 192.168.1.3 port 25 tracker 1494017115 flags S/SA keep state  label "USER_RULE: lucifer smtp"
    pass  in  quick  on $WAN reply-to ( pppoe0 xxx.xxx.xxx.207 ) inet proto tcp  from any to 192.168.1.3 port 65000 tracker 1494016908 flags S/SA keep state  label "USER_RULE: lucifer ssh in"
    pass  in  quick  on $WAN reply-to ( pppoe0 xxx.xxx.xxx.207 ) inet proto { tcp udp }  from any to 192.168.1.3 port 53 tracker 1494016830 keep state  label "USER_RULE: lucifer dns"
    pass  in  quick  on $WAN reply-to ( pppoe0 xxx.xxx.xxx.207 ) inet proto tcp  from any to 192.168.1.3 port 443 tracker 1494016727 flags S/SA keep state  label "USER_RULE: lucifer https"
    pass  in  quick  on $WAN reply-to ( pppoe0 xxx.xxx.xxx.207 ) inet proto tcp  from any to 192.168.1.3 port 80 tracker 1494016702 flags S/SA keep state  label "USER_RULE: lucifer http"
    pass  in  quick  on $LAN inet from 192.168.1.0/24 to any tracker 0100000101 keep state  label "USER_RULE: Default allow LAN to any rule"
    # at the break! label "USER_RULE: Default allow LAN IPv6 to any rule"
    
    # VPN Rules
    
    anchor "tftp-proxy/*"
    
    # Setup squid pass rules for proxy
    pass in quick on igb1 proto tcp from any to (igb1) port {3128,3129} flags S/SA keep state</virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></negate_networks></bogons></virusprot></snort2c></webconfiguratorlockout></sshlockout> 
    

    Any ideas about this?

    If any more config would help, let me know.