Avoiding Double NAT, routing only firewall

GasmanC · Aug 26, 2017, 1:41 PM

Hi all,

Background: I'm a complete noob when it comes to networking. I've read widely, but I easily get tripped up with the seemingly easy stuff. Bottom line, I want to avoid double NAT whilst still being able to have IPS abilities. I initially setup a transparent firewall, which was working in that I could filter the traffic with suricata but the pfsense box was unable to reach the internet and thus download rule sets.

Current setup:

ISP router (bridged) –> pfsense [dhcp] WAN (Nat turned off) : pfsense LAN [static] 192.168.1.1 –> Router providing NAT 10.0.10.1

I think I'm just getting confused with the whole disabling NAT. In my mind if I disable NAT, it should pass on the public IP to the router providing NAT. However, the LAN is still 192.168.1.1 and hands out DHCP. If I turn off dhcp, the router doesn't get the public IP. Am I missing something here?

Many thanks, and sorry if it's something small that I have completely missed

johnpoz · Aug 26, 2017, 1:47 PM

Current setup:

ISP router (bridged) –> pfsense [dhcp] WAN (Nat turned off) : pfsense LAN [static] 192.168.1.1 –> Router providing NAT 10.0.10.1

That setup makes no sense.. That drawing looks like you have a router on your lan, as well as your modem connected to your wan? But how does a 192.168.1 address talk to a 10.0.10 address?

Is your setup more like this

isp/internet –- modem (bridge) --- publicIP (router ) 10.0.10.1 ---- 10.0.10.x (wan) pfsense (lan) 192.168.1.1 --------- (192.168.1/24) devices behind pfsense.

And you want pfsense to not nat between the 192.168.1/24 network and the transit network (10.0.10/?) between your router and the internet?

GasmanC · Aug 26, 2017, 1:58 PM

Sorry for the confusion:

What I'm trying to achieve is:

isp/internet –- modem (bridge) --- publicIP (wan) pfsense (lan) 192.168.1.1 --------- USG (10.0.10.1) ---- devices behind USG (10.0.10.x).

I have the USG providing NAT and routing between different subsets as well as DPI. I'm trying to add the PFsense box in front of the USG in order to provide IPS via suricata. I'm trying to avoid double NAT as I have an openVPN Server being the USG etc... I'd like for the USG to pass on the public IP to the USG. I've tried the transparent firewall route which worked, but the pfsense box itself couldn't connect to the internet itself to download the suricata rulesets.

johnpoz · Aug 26, 2017, 2:15 PM

It would be simpler to just let pfsense do the nat and your ips.. Set your usg not to nat to avoid the double nat.. now just use your 192.168.1 as transit network.

You just have to setup a gateway in pfsense telling it to get to whatever your downstream networks are to send to the usg IP in our transit network 192.168.1.2 for example. Then setup your lan rule on pfsense (transit network) too allow source IPs of all your downstream networks..

If they are all 10 something you can use 1 summary router of 10/8, and either change your lan (transit network) rule to allow any as source or add rule to allow your downstream networks you want to allow out, could be summary of 10/8 as well here.

If you have messed with the outbound rules you will have to set those, if automatic once you have setup the gateway and routes via this gateway the automatic nat for outbound should include those - but doesn't hurt to check that your downstream networks are listed.

GasmanC · Aug 27, 2017, 1:36 AM

I Know it would be easier to let pfsense do nat and dhcp, but it means I have to change a json script for the USG (turning off NAT is coming to the GUI later).

I think in the end I am going to go back to the transparent firewall. It was relatively easy to set up. My only problem I will have to overcome is getting the pfsense box to reach the internet. I think if I add a USB NIC, make it another WAN and add an outbound NAT rule for the bridge interface, I might be able to get internet connectivity to download ET rule sets… crossing fingers.

johnpoz · Aug 27, 2017, 1:54 AM

Your problem is you don't have 2 public IPs do you? So your wan you add to pfsense will have to be behind your usg.. Sure you can do that… Just really odd setup.

GasmanC · Aug 27, 2017, 3:37 AM

I am definitely over complicating things… Without changing my current setup (usg providing Nat and dhcp), is there a way to integrate the pfsense box upstream for ips and dns? Or am I being too ambitious? Once ubiquiti enable NAT controls in the GUI it would make it much easier!

johnpoz · Aug 27, 2017, 10:17 AM

You can continue to let your USG do dhcp.. Actually you will have to… Pfsense can only dhcp for network it has an actual interface in. It will only be an upstream router in such a setup and will only have interface in a transit network. So it would not do dhcp for your downstream networks.

You just need to tell it not to nat.. Can you not do this via cli?

To be honest, you are a self proclaimed noob to networking - the running of IPS is not something you click and it works.. It will be very NOISY!!!! If you run it anything other than monitor mode it WILL BREAK SHIT!! There is a pretty step learning curve to IPS.. Either snort or suricata, I have been supporting IPS/IDS at work for many years.. Takes some tuning to get the rules right to be bombed with log spam, etc. false positives in IPS/IDS are very very high ratio... I do not bother to run it on my home network - too many other things to "play" with ;)

But another connection on pfsense that you can put behind your usg would work - its just ODD is all.. Normally you would just put an IP on the bridge interface and this could get to the internet - but since your bridging what amounts to your transit network to your ISP and is public and you only have 1 public IP which you need on your USG that doesn't work. So sure you can create another "wan" for pfsense that is actually behind the usg that gets natted, dhcp even from the usg.. And this is how you could manage the pfsense box, etc.

I personally would not bother with what is going to amount to a LOT of work maintaining or just not looking at since it will be lots and lots of noise to run a IPS/IDS for a home network. But it is a great learning experience to be sure.

I would prob just take pfsense out of the picture completely if have gone down the unifi road. The dpi function is pretty slick info to have on your network though.. I want to get a USG to play with, but my setup would of been with USG as the edge and pfsense as my downstream with it doing the intervlan routing/firewalling but no natting and the usg at the public edge doing dpi for the internet, etc. Since really wouldn't be interested in intervlan dpi info and only what is to from internet. Since the USG, what model do you have? It only has 1 lan side interface so if you have lots of vlans your doing a lot of hairpinning, etc. Doesn't really make for great intervlan router..

You could always just go that route if you want your IPS/IDS.. Put pfsense behind your usg and just use the usg as your edge router/firewall. This way you would get IDS/IPS between your vlans and to the internet.. When you put pfsense at the edge your only going to see internet traffic. And would not see for example one of your boxes that has been infected hitting your other boxes with exploits, etc.

GasmanC · Aug 28, 2017, 2:45 PM

Thank you for the advice, I'm really only doing this to learn and tinker. When you mentioned that giving the bridge an interface to reach the internet, that is what I had done when I set up the transparent firewall I trialled last week, and yet I still couldn't get the pfsense box to download updates or rule sets.

I followed these instructions from opnsense (https://docs.opnsense.org/manual/how-tos/transparent_bridge.html), but it set up the transparent firewall as expected on pfsense. As per the instructions I created an interface for the bridge, but could not get the pfsense box to reach the internet (downstream pc's were fine). Initially I thought it was a routing issue (pfsense wouldn't allow me to assign the bridge interface to 10.0.10.0/24 which is my usual subnet), so I gave it 10.0.20.1 and created a static route on both pfsense and the USG - but it didn't work. Now I'm thinking it could be a NAT thing as I had turned off NAT as per the instructions.

If you could help me work out why I couldn't get the pfsense box to reach the internet, I'd be very grateful.

johnpoz · Aug 28, 2017, 3:55 PM

"instructions from opnsense"

That is really a dirty word around here.. I would not mention them again ;) You should read some of the threads and info about that whole distro.. It can be very entertaining..

If your pfsense is a bridge on the L2 between you and the internet you would need another PUBLIC ip on the bridge to get to the internet. You can not really hairpin it back to the USG wan and then back out, etc. Even if you run a different L3 network that amounts to multiple L3 on the same L2 which is a bad juju..

Your best option if you insist on having pfsense between your isp and your usg as transparent is to add another nic for pfsense to use and put that behind your USG on say your management network.. This way you can use that to manage your pfsense and allow it to get to the internet. If your limited to 1 lan side nic on the pfsense you could do with vlan.

GasmanC · Aug 29, 2017, 10:13 AM

Regarding opnsense, only using the documentation for the transparent bridge as a bit of a primer to get me started with pfsense!

When I was testing the transparent firewall, I had it placed between the USG and the switch. All downstream PCs picked up DHCP and saw the USG as the gateway, but I couldn't get the pfsense box to connect to the internet. I tried adding static routes for the bridge interface and even added a separate USB NIC as a management interface, but it too couldn't connect to the internet. I have a feeling it may be because I turned off NAT when I was creating the bridge. Do you think I just needed to add a NAT rule??

Thanks so much by the way, the more I reading, the more I'm learning.