PfSense box not aware of a subnet that appears only in NAT configuration.

gpaschos

Hello,

Not sure if this is the absolutely right place for this question as it seems to be related to both to the VIP and NAT functionalities of pfsense.

So,

There is a pfSense box that has, amongst others, the following interesting to the case interfaces:

For the explanation of the setup, 10.x.x.x addresses represent real IPs and 192.168.x.x private ones.

• A WAN interface using IP 10.10.10.2/27 - Its default GW, the ISP,  is 10.10.10.1
• A LAN interface using  IP 192.168.10.1/24
• An OPT1 interface using  IP 192.168.1.1/25. - This is a DMZ, having servers that offer services to the internet as well as other stuff that should not be in the LAN.
• 1:1 Nat is happening on the WAN for the OPT's servers that need it, using a 10.20.20.0/26 subnet.
• PAT is happening on the WAN for the LAN's clients. The IP used for this purpose is one of the 10.20.20.0/26 subnet

Everything seems to be working fine but there is this "small" issue that has been troubling us:

Traffic destined from LAN to a server in the OPT using its real IP (1:1 nat) goes all the way to the GW of pfsense and comes back.
This is the relevant output of a mtr to the real IP of a server that is on the OPT

1. 192.168.10.1          0.0%     3    1.1   0.9   0.7   1.1   0.2
2. 10.10.10.1             0.0%     3    0.4   0.7   0.4   1.1   0.3
3. 10.20.20.5             0.0%     3   21.9   8.7   2.0  21.9  11.5

The issue seems to be that the  pfSense box isn't aware of the subnet used to NAT the stuff attached on OPT1, which is kinda logical as it has not this subnet attached on any of its physical interfaces. It appears only in NAT configuration.

I've tried to solve this without any success by  adding

• a VIP proxy-arp entry for the whole 10.20.20.0/26 subnet
• a VIP proxy-arp entry for each 1:1 NATed IP
• a VIP other entry for the 1:1 nat IP
• a VIP other entry for the 1:1 nat IP in conjunction with a VIP proxy-arp entry for the whole  subnet
• a static route for the 10.20.20.0/26 subnet pointing to the WAN IP (yea I know, that was really desperate :) )

Another thing is that I havent rebooted the pfsense box while trying the above additions of VIPs

Any insight will be really appreciated.

Regards,
George

GruensFroeschli

Diagram:

internet
                |
                |
   [WAN] 10.10.10.2/27
           pfSense   [OPT1] 192.168.1.1/25 –------ servers
  [LAN] 192.168.10.1/24
                |
                |
            clients

Can you please clarify where you have the 10.20.20.0/26 subnet?
Are these IP's used directly on the servers or as VIP's on the WAN?
Was the 10.20.20.0/26 subnet assigned to you by your ISP? (since these are public IPs)

If so you could add these public IP's to the servers directly.
–> Assign 10.20.20.1 to the pfSense.

Basically: if you 1:1 NAT something you cannot access this forward from the inside itself.
Use for that normal port forwards, since pfSense is able to reflect normal portforwards.

Search the forum for my username and "normal portforward" since i posted in quite a few threads how to do that.

Another alternative is, that you use 1:1 NAT from the outside, and for access from the inside you set up split DNS.
This is described here.
http://forum.pfsense.org/index.php/topic,7001.0.html

gpaschos

@GruensFroeschli:

Diagram:

internet
                |
                |
   [WAN] 10.10.10.2/27
           pfSense   [OPT1] 192.168.1.1/25 –------ servers
  [LAN] 192.168.10.1/24
                |
                |
            clients

Can you please clarify where you have the 10.20.20.0/26 subnet?
Are these IP's used directly on the servers or as VIP's on the WAN?
Was the 10.20.20.0/26 subnet assigned to you by your ISP? (since these are public IPs)

• The 10.20.20.0/26 subnet is allocated for the real IP addressing needs of some boxes that reside in the 192.168.1.0 subnet (OPT1)
  It only exists in the 1:1 NAT configuration page and the NAT-ing is done on the WAN interface.
  I didn't make any VIP for this subnet, except for the PAT-ing of the LAN
• Yes, this real-ip subnet is unique

If so you could add these public IP's to the servers directly.
–> Assign 10.20.20.1 to the pfSense.

This actually is the option that I am considering too. It involves changes on the servers though so was trying a workaround.
The case is that if this was a new installation that would be my approach from the begining.
This was an existing setup that worked having an openbsd box in place before I used pfSense as a way better managed PF solution, especially for the non-BSDers.

Basically: if you 1:1 NAT something you cannot access this forward from the inside itself.
Use for that normal port forwards, since pfSense is able to reflect normal portforwards.

Search the forum for my username and "normal portforward" since i posted in quite a few threads how to do that.

Another alternative is, that you use 1:1 NAT from the outside, and for access from the inside you set up split DNS.
This is described here.
http://forum.pfsense.org/index.php/topic,7001.0.html

Thank you for this tip :)
Found lots of interesting info there and the especially the text about adding aliases on the physical interfaces is very interesting.
If I remember correct this was what I did, adding the 1:1 IPs as aliases on the WAN that is, on the previous box to make it see this, otherwise "virtual" subnet, as local thus appearing on the fw's routing table.
The way I understood the whole VIP concept made me think that it was the way to make something similar.
SplitDNS would be a viable option too if this was an isolated enviroment (not different links going to different places interconnecting private networks which share the same NSs)

Thanks again for your time!

George