NAT rule not working between LAN and LAN

jkraj · Apr 25, 2018, 2:00 PM

My LAN Network is 192.168.1.0/24 and I have couple of VMs in it 192.168.1.100 (A) & 192.168.1.101 (B). I have a application running in (A) at 6443 port that should be reached by this address 10.96.0.1:443 from B.

I want to do a curl from B like [ curl -x https://10.96.0.1/api ]. When I did tcpdump packet is reaching pfsense node but pfsense is dropping it looks like.

What kind of NAT rule I should add? I have one NAT rule which is not working I have attached that rule and firewall rule.

Note: 10.96.0.0 network is not assigned to any interfaces of my VMs as well as pfsense here that is what I need.

Some pointer would be helpful.

viragomann · Apr 25, 2018, 2:35 PM

Why want you do that? Why don't you use its interface address?

The application will never get the requests if that IP isn't assigned to the machines interface in the operating system.

Beyond, natting that won't work if both, client and server, are connected to the same interface. Therefore you will need a proxy.

johnpoz · Apr 25, 2018, 7:43 PM

Confused about this 10.96.0.1 address? So your running multiple layer 3 on the same layer 2 network.. Ie your 192.168.0/24- where is this 10.96 coming from?? Is that a VM behind a VM software nat on the host?

jkraj · Apr 25, 2018, 6:00 PM

I am deploying kubernetes cluster using those VMs and specifically testing macvlan driver. so containers starting in that VM also get ip from 192.168.0.# ip address and host iptables will not be applied to those packets. I have to rely on router for routing

But I am able to reach 10.96.0.1 from my VM which have 192.168.0.# ipaddress Below two ip tables rules in the VM helps

-A KUBE-SERVICES -d 10.96.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-SEP-TNJASDWJMM375A6
-A KUBE-SEP-TNJASDWJMM375A64 -p tcp -m comment --comment "default/kubernetes:https" -m recent --set --name KUBE-SEP-TNJASDWJMM375A64 --mask 255.255.255.255 --rsource -m tcp -j DNAT --to-destination 192.168.1.100:6443

How to create similar rule in pfsense?

jkraj · Apr 25, 2018, 6:47 PM

@viragomann:

Beyond, natting that won't work if both, client and server, are connected to the same interface.

In that case I tried curl -k https://10.96.0.1/api from inside pfsense VM that also not working. what could be the reason?. One thing I noticed because default route is WAN, I see the packet trying to leave via WAN interface rather than LAN interface, can I set any static route? or how to modify my nat rule to achieve this.

johnpoz · Apr 25, 2018, 7:46 PM

Dude if you have some downstream router that understands this 10.96.0 network then you would create a static route..

Still not understanding where this 10.96.0 network is… its on your VM host?

your 192.168.1 is a transit to get to this downstream network. If your doing some nat on some VM host.. You would send traffic to this VM hosts IP where this IP is natted too..