some help on an NAT / Firewall rule.



  • Hi all,

    Long story.

    I'm looking for a nat solution and if needed an firewall rule for this situation :

    desktop - nic 1 - 192.168.1.1 / 24 - no gateway placed on interface ( this is bound to an PCL and cannot be changed ).
    - nic 2 - 192.168.2.200 /24 - no gateway placed on interface ( this is used for outbound traffic )
    added static route 0.0.0.0 to 192.168.2.100

    pfsense - lan - 192.168.1.161
    - lan vip - 192.168.2.100
    added nat & firewall rules to allow traffic to / from 192.168.2.x segment.

    The desktop can reach the 192.168.1.x segment and the internet.

    However to make it somewhat complicated the PCL application needs to send e-mail, to our internal smtp host ( 192.168.1.101 ).
    We used to add an static route for 192.168.1.101 to the 192.168.2.100 which works, however it takes a few second to use this route ( it searches for the .101 on the nic 1 first )
    By then the application didn't sent the e-mail anymore.

    What we did was an workaround so that the desktop didn't have to 'think' about the route was to use nat to sent to a different internal ip and then translate this to the real ip.
    On the old Sophos we had DNAT rule like this traffic from 192.168.2.200 -- any -- to 192.168.3.101 -- action change destination 192.168.1.101 .

    0_1528380454939_sophos_nat.PNG

    This worked without the few seconds delay and the application was able to sent the e-mail(s).

    Now I can't seem to reproduce that NAT rule on the pfSense.

    Any advice or pointers would be appriciated .

    Thank you in advance,


  • Rebel Alliance Global Moderator

    What is that interface from - sure doesn't look like any version of pfsense I recall. Oh thats your sophos box - not sure how we are support to understand what your doing exactly when you don't call out what dvsubxxx equals

    You seem to have a mess

    pfsense - lan - 192.168.1.161

    • lan vip - 192.168.2.100

    Why are you running multiple layer 3 on the same layer 2? If you device wanting to send email has an IP in the 192.168.1 it wouldn't need a route or gateway to talk to 192.168.1.x

    Why don't you draw this up how you have everything connected and we can work out what your doing wrong or what sort of nat you might need to get it to work.



  • Hello Johnpoz,

    Thank you for the reply.

    Yes it's a mess, but not by choice :).

    The reason is that the nic 1 is connected directly to the PLC and the ip address can't be changed.
    However the internal network is also 192.168.1.x and... can't be changed..

    Anyway, it's fixed, by applying the same NAT rules as on the old Sophos box, we just had to figure out on how to do this on pfSense.

    But again not ideal and or great. But you can't have it all @customers :).

    Thanks !

    Cheers,

    Jack


  • Rebel Alliance Global Moderator

    @mr_jack said in some help on an NAT / Firewall rule.:

    However the internal network is also 192.168.1.x and… can’t be changed…

    I don't buy that to be honest.. But whatever if you have working no point in beating a dead subject.

    All devices that have an IP can be changed, it just comes down to how much effort your willing to put into it is all.



  • @johnpoz

    That's true, I also think that it can be changed. But if the vendor says it can't and the customer doesn't want to jump through hoops... I'm done.

    Again thank you very much for the time. I appreciate that.

    Cheers,

    Jack.