Outbound Natting Through DMZ Address
-
Hello,
Due to some complexity on my network, I need to have a LAN host mapped to a DMZ address then out the WAN. Is this possible? I have been playing with the Outbound NAT rules and have set my outbound to manual, setup a mapping that is:
Interface: WAN (or LAN, I tried either way)
Proto: any
Source: 10.10.0.10/32 (created host alias)
Dest: any
Translation Address: 65.65.65.10I cleared my states to 10.10.0.10 after applying config. Host still traceroutes out the LAN gateway then the WAN gateway, does not seem to translate to the DMZ address at all. I realize that I am attempting to NAT to a DMZ address, and not a WAN address, but the DMZ address is public and accessible via the WAN.
Pic attached of what I am trying to do:
Please let me know if I can supply more information.
Thanks!
-
…and here's the answer:
For static IP configurations, an interface is considered a WAN by the presence of a gateway on the interface's settings, e.g. Interfaces > OPT1. Having a gateway defined under System > Routing is not enough, it must also be selected on the interface configuration or it will not be considered a WAN for NAT or other purposes.
So yeah, I don't have a gateway defined for that network, and that is not a consideration for NATting, bypasses the rule and uses the defacto LAN rule out the WAN interface.
Question is: Can I make the FW it's own GW on that network to get the results I want?
Thanks!
-
The documentation should maybe say "any interface without an upstream gateway will not automatically be considered for NAT." doesn't make it impossible to manually configure outbound nat on a LAN or openvpn interface.
Anyhow IPSEC which you dont mention in this question.?. is a different beast as there is only 1 enc0 interface even when there are multiple separate tunnels, and routing / gateways isn't used at all for ipsec on freebsd.. traffic is selected by the 'policies' set in the kernel..
For ipsec traffic 'must' match the policies to be send over its enc0 interface. Its possible to set for example a localsubnet of 0.0.0.0/0 and configure natting inside the P2 settings, that 'might' work. -
(You are not going to see any new responses when the thread is marked SOLVED and you add a new question.)
If you want to EXCLUDE that address from IPsec entirely and send it in-the-clear out the WAN port, with a source address that is from the /27 that might be possible (and you should re-engage them on your ticket there), but my guess is that the reply traffic will be caught by the IPsec traffic selectors on the other side and go out the IPsec there, instead of their WAN interface. They would also have to accept the traffic to that host using normal firewall rules on the outside interface since the traffic would arrive from you over the routed internet instead of the IPsec tunnel.
The simplest solution for you is to move that host from LAN to DMZ and give it a DMZ address since that is the network that is matched by the IPsec traffic selector already.
-
So a couple things:
1. Let's say we remove the IPSEC tunnel component of the issue, and I set an outbound NAT on my WAN interface (egress port is what I understand how it works) to translate the address to a DMZ address on any port with the source address of the host on the LAN (dest any). On the host, when I do a traceroute to 8.8.8.8, it does not seem to translate to the DMZ address, or at least not one of the hops in the output of the command. It goes to the LAN gateway, WAN gateway, and out the Internet. Am I missing something?
2. I am dealing with a large customer that only allows for communication over this IPSEC tunnel, and asking for either opening the ports to the WAN (even with my source address) or adding my private LAN network (or even the host/32) to the tunnel is out of the question.
I figure once I get a hop in traceroute on the host that is a DMZ address, I can move forward with the IPSEC portion of the problem.
Cheers!
-
So a couple things:
1. Let's say we remove the IPSEC tunnel component of the issue, and I set an outbound NAT on my WAN interface (egress port is what I understand how it works) to translate the address to a DMZ address on any port with the source address of the host on the LAN (dest any). On the host, when I do a traceroute to 8.8.8.8, it does not seem to translate to the DMZ address, or at least not one of the hops in the output of the command. It goes to the LAN gateway, WAN gateway, and out the Internet. Am I missing something?
You must be missing something because the DMZ is an address on the DMZ, not on WAN. You would have to post your outbound NAT rules so we could see what you have done there. to see why you are not getting the results you think you should be getting.
2. I am dealing with a large customer that only allows for communication over this IPSEC tunnel, and asking for either opening the ports to the WAN (even with my source address) or adding my private LAN network (or even the host/32) to the tunnel is out of the question.
I figure once I get a hop in traceroute on the host that is a DMZ address, I can move forward with the IPSEC portion of the problem.
Actually, what you are getting will be meaningless because IPsec does not work like anything else, as has already been pointed out. What happens on IPsec has nothing to do with what happens on WAN and vice versa. The NAT you are referring to has to happen in IPsec. There is a facility for NAT there but it will not work reliably in the scenario which has been presented.
The simplest solution for you is to move that host from LAN to DMZ and give it a DMZ address since that is the network that is matched by the IPsec traffic selector already.
-
1- Outbound-nat does not add a hop, it only changes the source-ip of the packet going out on the configured interface.
Traffic leaving on enc0 does not pass through rules applied to the wan-nic.2- Do you need 2 way communication over the IPSEC connection? Or you need to connect to the remote network as a client?
The P2 settings what subnets do they use when 'connected' properly? What clients need to access the remote side? Does remote side need to contact what IPs on your side?I imagine maybe something like this for P2 settings:
Localnet: 10.10.0.10/32
NAT/BINAT: 65.65.65.10/32
Remotenet: <remote net="">But to be sure what would work i need a bit more info about what the remote side expects for the P2 policy, and what needs to talk to what exactly. Possibly the conclusion will be its not possible with the options pfSense has, but for now there is still room to play imho ;)</remote> -
As I understand it, he needs this:
Localnet: 10.10.0.0/27 (DMZ network)
NAT/BINAT: None
Remotenet: 10.11.0.0/16That is working fine.
Then, in addition to that:
Localnet: 10.9.0.119/32 (A host on the local LAN network)
NAT/BINAT: 10.10.0.10/32 (An address from the DMZ subnet)
Remotenet: 10.11.0.0/16So there are overlapping Phase 2 networks that need to be created. The other side sees CHILD_SAs created from both:
10.10.0.10/32 === 10.11.0.0/16
10.10.0.0/27 === 10.11.0.0/16Both SAs must be created on the pfSense side or the traffic from 10.9.0.19/32 to 10.11.0.0/16 will never be interesting to IPsec.
I cannot see that ever working reliably.
