Internal routing of Vlans



  • Hi everyone,
    I'm trial testing pfsense from last three months. Keeping security in mind and also to hide internal ip subnets from external I tried different ways but didn't worked in pfsense. What im trying to do?
    I have these subnets:
    Lan : 192.168.10.1/24
    Vlan1: 192.168.100.1/24
    Vlan2: 192.168.200.1/24

    Actually, I want vlan1 and vlan2 traffic to be routed to lan ip and then out to the gateway.
    Vlan1+Vlan2>>Lan ip>>Gateway
    e.g., 192.168.100.10>> 192.168.10.2>>Gateway
    or
    192.168.100.1/24>>192.168.10.1(Lan gateway)>>Gateway

    192.168.100.10>>internal Virtual ip>>Gateway

    Whole purpose for all this trouble is to hide source from external network because source private ip can be tracked using different methods. Ive been looking into Virtual IPs but not sure how it will work.


  • LAYER 8 Netgate

    It is pretty unclear what you are trying to do. Are those VLANs somehow behind the LAN or something?

    Why should LAN address be involved in routing them out at all?



  • @ak-0 said in Internal routing of Vlans:

    Whole purpose for all this trouble is to hide source from external network because source private ip can be tracked using different methods. Ive been looking into Virtual IPs but not sure how it will work.

    I'd be very interested in understanding some of the methods that can be used to identify an internal IP address that's NATed and why that's important.

    VirtualIPs won't do what you want them to do. They are more for assigning more than one IP address to a pfSense WAN NIC so you can share a block of addresses over one NIC and route them based on IP accordingly (for example, if you need to use port 80 for two web servers, you'd assign one a virtual IP and pfSense would know where to route that incoming traffic <-- One example).


  • LAYER 8 Netgate

    Yeah that explanation makes no sense either. You're going to have to provide more details about exactly what you are trying to do.


  • LAYER 8 Global Moderator

    you want to hide your internal private IP from whom exactly? Some website they go to on the internet? Or something on your wan network they access which is also private?

    Im with Derelict not understanding what your trying to accomplish.. If you nat to your wan IP then that would be the IP address the outside resource sees.

    Lets say the site uses something like webrtc to find out the browsers rfc1918 - why should it matter? And you can stop webrtc on the box, etc..

    Please describe what your wanting to prevent, an example of where you are seeing this internal IP and you want to prevent it would be most helpful.



  • @Derelict
    Vlan are created under physical Lan interface ig0 and parent interface for these vlan`s is ig0.

    Actually what i want to achieve is if traffic from Vlans goes out first it should reach
    Vlan gateway>>Lan gateway>> Wan port and should not do Vlan>>Wan port.
    Tracert should be
    1.Vlan IP (192.168.100.1)
    2.Lan IP (192.168.10.1)
    3.Gateway IP (1.2.3.4)
    instead of
    1.Vlan IP (192.168.100.1)
    2.Gateway IP (1.2.3.4)
    I`m trying to double NAT for Vlans, first NAT should be internal and then gateway.

    @tim-mcmanus : If we simply capture the packet and on inspection it can show the source device and then the route the packet came from. So, someone with that much information and hacking knowledge can easily walk into your network. Also, can send packet with header upside down to hit the server behind pfsense firewall, located on VLAN.


  • LAYER 8 Netgate

    Still makes no sense. What does LAN gateway have to do with anything


  • LAYER 8 Global Moderator

    @ak-0 said in Internal routing of Vlans:

    So, someone with that much information and hacking knowledge

    I think someone been watching many nonsense hacker movies ;)



  • @Derelict Lan interface gateway is just used for router VLan traffic to wan.

    @johnpoz Its just the requirement. I`ve tried it on cisco, mikrotik routers and it does work. As, mentioned earlier pfsense is under trial test to check if it does things what other routers was doing. So, can replace cisco or mikrotik.


  • LAYER 8 Global Moderator

    Requirement of who?? Sorry but been in the biz for 30 some years.. Ran multiple infosec teams, audits out the ying yang... Never heard of such a thing.. So who is saying you should do it this way? Mr Robot? ;)



  • @johnpoz its client requirement and got same king of traffic routing setup before. So, pfsense trial testing is to show that it can do it or we have to go with other solutions.

    So, if i want to route all VLAN traffic to LAN not to wan. Then this VLAN traffic will go through LAN interface to WAN.What can be done to accomplish this.


  • LAYER 8 Global Moderator

    You put your vlans behind a dowstream router and use your "lan" as the transit to get to the edge.. It makes ZERO sense to hit a router, and then internally route it to another interface on the same router, and then to go out the wan.. ZERO!!!

    You know in IT the customer is NOT always right... They have some idiot that should be swapping out mice for users that somehow got into some CSO position? You need to explain to them that its nonsense to do such a thing..

    Why are you trying to save them money? If cisco will do such nonsense - then charge them for the $20K cisco router/asa and put your 20% mark up on it, etc. etc.. And make more money ;) Unless your trying to charge them cisco budget while using pfsense? ;)



  • @ak-0 said in Internal routing of Vlans:

    If we simply capture the packet and on inspection it can show the source device and then the route the packet came from.

    ????

    The packet will show only the source and destination addresses. Nothing at all about the route. Of course, once you pass through NAT the original source is overwritten.



  • @johnpoz said in Internal routing of Vlans:

    You know in IT the customer is NOT always right..

    Yep, I had one customer last year who had the office wired with CAT6. She was upset that I used a CAT5 cable to connect my computer to the switch. She apparently thought it would bog down the entire network. Apparently her husband reads computer magazines, so that makes her an "expert"! 😉



  • @ak-0 said in Internal routing of Vlans:

    @Derelict
    Vlan are created under physical Lan interface ig0 and parent interface for these vlan`s is ig0.

    Actually what i want to achieve is if traffic from Vlans goes out first it should reach
    Vlan gateway>>Lan gateway>> Wan port and should not do Vlan>>Wan port.
    Tracert should be
    1.Vlan IP (192.168.100.1)
    2.Lan IP (192.168.10.1)
    3.Gateway IP (1.2.3.4)
    instead of
    1.Vlan IP (192.168.100.1)
    2.Gateway IP (1.2.3.4)
    I`m trying to double NAT for Vlans, first NAT should be internal and then gateway.

    @tim-mcmanus : If we simply capture the packet and on inspection it can show the source device and then the route the packet came from. So, someone with that much information and hacking knowledge can easily walk into your network. Also, can send packet with header upside down to hit the server behind pfsense firewall, located on VLAN.

    I've worked in environments that required double NATs, and I would suggest avoiding it at all costs. The only real reason to do this is IP overlap between networks. Security through obscurity is not something to rely on, and even if they knew your internal IP was 192.168.1.20, they can't do anything with it from the outside.