Static External Access Issue (Am I just stupid?)
-
So there's a good chance I'm just an idiot, but I'm running out of ideas for how to make this work and my search-fu is failing me.
I've got the following config:
LAN (10.x.x.x)->PFSENSE Firewall (INTERNAL STATIC 10.x.x.13, External DHCP)->Comcast Modem(Internal 192.168.x.x Handing out DHCP)
Also attached directly to my Comcast modem is my ubuntu web server with a static external address (173.x.x.x/29). Comcast modem is defaulted to bypass firewall on all statics.
My web server is reachable from the public. It is also reachable by any device that is direct connected to the Comcast modem. But I am unable to get to my web server from my LAN (10.x.x.x). I've tried 1:1 Nat, Aliases, Nat Reflection. Nothing seems to work. It's totally possible I missed a step on my config though.
If someone would be so kind as to either give me some guidance or perhaps point me in the correct direction to get my LAN users access to this one server I would appreciate it.
I've also attached an image from Visio to help show my setup.
Thanks!
-
That is going to be an asymmetrical mess to be honest. What IP does your client get when he goes out to the internet… What IP is he getting natting too?
You comcast modem from your drawing would be natting your pfsense 192.168 address to some public IP, while at the same time your comcast modem would be natting it as well.
Why do you not put your pfsense wan on this 172.x.x.x/29? Then when your clients want to talk to another address on 172.x.x.x/29 (webserver) to the webserver you would be coming from an IP on its own network.
I personally would put the webserver behind pfsense either with a VIP to get to your webserver, or better yet routed /29 to your pfsense wan IP that was on some other public transit.
When you say L3 switch.. Is it doing routing and your client is on some other downstream network? And pfsense 192.168.x.x lan is just a tranist to your L3 router (ROUTER). Or are you just using a L3 in L2? Unless your actually routing with your switch you shouldn't call it out as a L3..
-
LAN (10.x.x.x)->PFSENSE Firewall (INTERNAL STATIC 10.x.x.13, External DHCP)-
There is really no reason you have to mask your LAN addressing. Nobody will be able to do anything with those past your firewall.. :)
It can (although seems not in this instance) be a roadblock to those helping sometimes.
Some links to show the VIP solution that johnpoz mentioned..
https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses
https://doc.pfsense.org/index.php/1:1_NAT;)
-
Agree with chpalmer on the obfuscation on rfc1918, there is really never a valid reason to try and hide that.. And yes for sure it can cause some confusion if done wrong, etc.
Same goes for hiding mac address.. If your shinyhat was really tight you might justify mac of some AP mac.. Since those can show up in war driving dbs and might be possible to track down location from it. Same goes for posting your ssid your using.. But that is some really tight shinyhat to be worried about such thing ;)
If really really tight you might not want to share mac of say a wifi router since the wlan mac is normally only 1 or 2 away from from the physical ;)
But when it comes to rfc1918 space.. Yeah that gives away nothing… Its like saying you live on the planet and worried about someone finding you ;)
-
That is going to be an asymmetrical mess to be honest. What IP does your client get when he goes out to the internet… What IP is he getting natting too?
It gets natted to the 172.x.x.x/29 by the comcast modem.
Why do you not put your pfsense wan on this 172.x.x.x/29? Then when your clients want to talk to another address on 172.x.x.x/29 (webserver) to the webserver you would be coming from an IP on its own network.
I hadn't thought of that. Would this increase my exposure risk on the web though? Or would having solid passwords on my pfsense make it a non-issue?
I personally would put the webserver behind pfsense either with a VIP to get to your webserver, or better yet routed /29 to your pfsense wan IP that was on some other public transit.
So: Webserver On LAN with static->PFSENSE(Internal static, external public static)->Comcast Modem->WWW? Then VIP and 1:1 nat?
When you say L3 switch.. Is it doing routing and your client is on some other downstream network?
I have a couple other networks external to my LAN that I do routing to. This switch is doing routing to move traffic between the 3 diffrent networks that I need my LAN to be able to access. My situation is a bit messy, I have 3 networks that are not under my control but are on a local network of sorts with several hundred users and my users need to be able to access those networks without exposure to my LAN. TMI I'm sure, but yea it is a L3 switch running true L3 routing.
-
There is really no reason you have to mask your LAN addressing. Nobody will be able to do anything with those past your firewall.. :)
I'm government. I just mask crap out of habit. Less memos to write if I just mask everything lol!.
-
Its like saying you live on the planet and worried about someone finding you ;)
THEY are always watching. :P
-
Or would having solid passwords on my pfsense make it a non-issue?
Huh??? Makes no sense.. Out of the box all inbound unsolicited to pfsense wan is blocked.. What would pfsense passwords have to do with its exposure? You don't have pfsense web gui open to the internet do you??
between the 3 diffrent networks that I need my LAN to be able to access
By lan you mean you are using your lan as transit to this L3? You don't have hosts on your lan access networks downstream of the L3 do you? Do you route to them on the host? If not you have a asymmetrical mess.. Unless your downstream L3 is natting those downstream networks to your lan?
If a host on your lan wants to get to downstream network, and bounces off pfsense as the lan clients default gateway then you have a hairpin and asymmetrical traffic.. Borked! ;) No host should be on a transit network.. If your going to put hosts on a transit. Then you need to create routes on said host directly that tell it which gateway to use to get to which network.. So any host on the lan should have routes on it saying hey, you want to get to downstream network - talk to the L3 switch IP on the lan network.
Back to your problem.. Well your issue is with your comcast router then.. Its a nat reflection sort of nightmare.. You would have to fix that sort of issue on the comcast device.. Good luck.. Your best fix is to bring your servers behind pfsense directly either via routed public space or with natting behind..
-
Would this increase my exposure risk on the web though?
No.
we leave that up to the loose nuts behind the keyboards.
pfSense is a stateful firewall and Id trust it over the Comcast router/modem any day.
I'm government.
No need to apologize. ;D I do 911 stuff myself so Im aware of the processes involved. Case in point- I use 172.25.110.0/23 on one of my network subnets. See if you can find me.. ;)
C
-
