Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    GeoIP and NAT

    pfBlockerNG
    2
    8
    428
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cgeo last edited by cgeo

      I have to say that I am not an expert in FW and networking but I am trying :)

      I have pfsense configured with NAT reflection. This used to work fine as I can access my synology from inside and outside of my network in a consistent way using the public fqdn.
      Now when I implemented geoip filtering I cannot access my synology from the lan :)
      I used 'alias permit' rules only for the ports that I have opened and in the specific NAT rule I put as a 'source IP' an alias that has a few countries including my own country.
      I would think that when I try to access my server from my country and using NAT reflection it should work.
      I took a sniffer capture and I see that my LAN IP tries to connect to the external interface and this fails.
      Nothing on the FW logs
      I remove the source alias and it works
      Accessing from the internet always works the only thing broken is access from my LAN
      Any ideas?

      Edit: Now that I think of it, could it be that the LAN is trying to communicate with the WAN interface but since this is a private address is filtered due to the GeoIP filtering ? I would expect to see the filtering in the FW logs but there is none.

      1 Reply Last reply Reply Quote 0
      • Grimson
        Grimson Banned last edited by

        NAT reflection is a crutch, use split-dns: https://www.netgate.com/docs/pfsense/nat/accessing-port-forwards-from-local-networks.html#method-2-split-dns

        1 Reply Last reply Reply Quote 0
        • C
          cgeo last edited by cgeo

          Yeah I thought of that but how do you make it work when you do port forwarding say on port 123456 that is then forwarded internally to port 5000 ?
          All the clients are configured to connect to the server on fqdn:123456. Unfortunately, I cannot configure one internal (fqdn:5000) and one external URL (fqdn:123456)
          With NAT reflection this is easy but with split dns I could not find a way to do it

          1 Reply Last reply Reply Quote 0
          • Grimson
            Grimson Banned last edited by

            This would be another crutch, but you can do port forwards on the LAN interface too. Or simply change the listen port of the synology, if possible.

            1 Reply Last reply Reply Quote 0
            • C
              cgeo last edited by

              Well, LAN port forwarding does not make much sense since the traffic does not leave the subnet and never reaches pfsense right ?
              In any case I think I found the reason. I whitelisted the local LAN subnet and this seems to work.

              I find it strange that I did not see anything in the FW logs though... Shouldn't that be the case ?

              By the way when I create a whitelist under the IPv4 tab all is good. If I remove the entries of the whitelist, force an update, those ip addresses are not really removed. I had to delete the alias and recreate it again.

              Grimson 1 Reply Last reply Reply Quote 0
              • Grimson
                Grimson Banned @cgeo last edited by

                @cgeo said in GeoIP and NAT:

                Well, LAN port forwarding does not make much sense since the traffic does not leave the subnet and never reaches pfsense right ?

                You try to "hide" your synology with a random port, but you have open devices on the same subnet as your internal devices? Your concept of security needs a thorough update!

                1 Reply Last reply Reply Quote 0
                • C
                  cgeo last edited by

                  Ok in this context I understand your previous answer. Given more budget, more space to put extra switches etc I would probably do what you advise. But for just one synology server that is pretty well protected for my standards with 2FA, a firewall to filter massive attacks, ip blocking for consecutive failed attempts and some alert notification I am pretty much covered right now. Your point is valid though and I may consider it if my network grows in the future.

                  But my point remains. Shouldn't this be visible in the firewall logs ?

                  Grimson 1 Reply Last reply Reply Quote 0
                  • Grimson
                    Grimson Banned @cgeo last edited by

                    @cgeo said in GeoIP and NAT:

                    But my point remains. Shouldn't this be visible in the firewall logs ?

                    You have the source IP alias already in the NAT rule, so it will not process the port redirect from IPs not covered in that alias. As such the firewall simply sees a connection from your LAN to your WAN address, this is allowed by the default LAN-to-any rule (if it still exists in your config), and so it wont be logged. With this config you simply try to connect to pfSense on a port that is likely not in use.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post