GeoIP and NAT



  • I have to say that I am not an expert in FW and networking but I am trying :)

    I have pfsense configured with NAT reflection. This used to work fine as I can access my synology from inside and outside of my network in a consistent way using the public fqdn.
    Now when I implemented geoip filtering I cannot access my synology from the lan :)
    I used 'alias permit' rules only for the ports that I have opened and in the specific NAT rule I put as a 'source IP' an alias that has a few countries including my own country.
    I would think that when I try to access my server from my country and using NAT reflection it should work.
    I took a sniffer capture and I see that my LAN IP tries to connect to the external interface and this fails.
    Nothing on the FW logs
    I remove the source alias and it works
    Accessing from the internet always works the only thing broken is access from my LAN
    Any ideas?

    Edit: Now that I think of it, could it be that the LAN is trying to communicate with the WAN interface but since this is a private address is filtered due to the GeoIP filtering ? I would expect to see the filtering in the FW logs but there is none.





  • Yeah I thought of that but how do you make it work when you do port forwarding say on port 123456 that is then forwarded internally to port 5000 ?
    All the clients are configured to connect to the server on fqdn:123456. Unfortunately, I cannot configure one internal (fqdn:5000) and one external URL (fqdn:123456)
    With NAT reflection this is easy but with split dns I could not find a way to do it



  • This would be another crutch, but you can do port forwards on the LAN interface too. Or simply change the listen port of the synology, if possible.



  • Well, LAN port forwarding does not make much sense since the traffic does not leave the subnet and never reaches pfsense right ?
    In any case I think I found the reason. I whitelisted the local LAN subnet and this seems to work.

    I find it strange that I did not see anything in the FW logs though... Shouldn't that be the case ?

    By the way when I create a whitelist under the IPv4 tab all is good. If I remove the entries of the whitelist, force an update, those ip addresses are not really removed. I had to delete the alias and recreate it again.



  • @cgeo said in GeoIP and NAT:

    Well, LAN port forwarding does not make much sense since the traffic does not leave the subnet and never reaches pfsense right ?

    You try to "hide" your synology with a random port, but you have open devices on the same subnet as your internal devices? Your concept of security needs a thorough update!



  • Ok in this context I understand your previous answer. Given more budget, more space to put extra switches etc I would probably do what you advise. But for just one synology server that is pretty well protected for my standards with 2FA, a firewall to filter massive attacks, ip blocking for consecutive failed attempts and some alert notification I am pretty much covered right now. Your point is valid though and I may consider it if my network grows in the future.

    But my point remains. Shouldn't this be visible in the firewall logs ?



  • @cgeo said in GeoIP and NAT:

    But my point remains. Shouldn't this be visible in the firewall logs ?

    You have the source IP alias already in the NAT rule, so it will not process the port redirect from IPs not covered in that alias. As such the firewall simply sees a connection from your LAN to your WAN address, this is allowed by the default LAN-to-any rule (if it still exists in your config), and so it wont be logged. With this config you simply try to connect to pfSense on a port that is likely not in use.