Hardcoded IP address redirection

shawty · Jul 4, 2019, 1:23 PM

Hi All,

I have an old hardware device that I use for testing and collecting data. The manufacturer of the device has gone out of business now, and the device will not boot up correctly without being able to connect to and check a service on their server.

Their server is no longer online, and so this device cannot reach the service and is basically stuck in limbo essentially useless.

The job this device does, it does very well, so I really don't want to replace it (It wasn't cheep to start with either) , so I'd like to if I can redirect it's traffic to an internal server in my network.

I know exactly what it's doing/trying to do and I've set up a server inside my network to respond to it's requests in the manner it expects, the IP address of the server it tries to connect to however appears to be hard coded into the devices firmware (There's no options to change it in the config) and it ALWAYS attempts to connect to the same external IP address, no DNS lookups or anything just straight forward IP access on a few different ports.

How can I make my pfSense router which acts as my main network gateway send all requests to EG: 5.6.7.8 to the server inside my network EG: 192.168.17.174 rather than them leaving my network and going out the WAN interface onto the internet?

Here's a rather badly drawn diagram for those who need it (I hacked it together in Mspaint)

I'm guessing I may be able to do this using NAT, but all I seem to be able to find in the pfSense docs and guides is NAT examples relating to external to internal port forwarding and similar, there's very little documentation I can find that addresses single IP address redirection.

Cheers
Shawty

JKnott · Jul 4, 2019, 1:47 PM

@shawty

You could probably do it by creating a network with the address range and routing to it, but what about the server it's looking for? What happens when it gets no response from that address? Do you know what it's supposed to provide so that you can emulate it?

shawty · Jul 4, 2019, 1:50 PM

@JKnott I do indeed, as you can see from my original question, Iv'e already built and programmed a replacement server, I just need to know how to redirect to said server.

I now control the replacement, and can change it in anyway I need.

JKnott · Jul 4, 2019, 2:17 PM

First off, if that server is on the local network, pfSense will not do anything other than send out an ICMP redirect. This means you have to do something that puts that server on a different network. That is easy enough to do, either with another NIC or VLAN. Then set up a routing rule appropriately.

shawty · Jul 4, 2019, 2:34 PM

@JKnott I have a managed switch in the lan that I can partition into as many Vlans as I need, however the actual server in question, that is the replacement that Iv'e built is actually just a VM running inside a hypervisor (Hyper-V in this case) so I can assign it any network setup I want, I could in theory actually give it the same IP as what the device is looking for, but I still don't know how to make pfSense NOT route the traffic over the WAN interface?

Assuming I changed the replacement server IP address to something not in my local lan, but not an outside address either for example 10.0.0.1 what would I then need to do in pfSense to make the redirect happen?

At this point the old device would be in 192.168.17.0/24 with pfSense at 192.168.17.3 and the replacment server sat inside a virtual switch with an IP of 10.0.0.1

Cheers
Shawty

viragomann · Jul 4, 2019, 3:04 PM

@shawty said in Hardcoded IP address redirection:

Assuming I changed the replacement server IP address to something not in my local lan, but not an outside address either for example 10.0.0.1 what would I then need to do in pfSense to make the redirect happen?

Define a VLAN on pfSense and put the replacement server into it.
Then just add a simple NAT rule to the LAN, translating the destination address in packets meant to 5.6.7.8 to the IP of the the replacement server.

shawty · Jul 4, 2019, 3:11 PM

@viragomann Hi, forgive my numptyness here, but I can't find any menus anywhere in my pfSense web panel that say anything about setting up a VLAN.

My main problem here, is I know a fair bit about networking, but I know next to nothing about how to configure pfSense.

Can you tell me menu, for menu where I need to look for the things I need to do?

viragomann · Jul 4, 2019, 3:22 PM

Interfaces > Assignments > VLANs
Here you have to define the VLAN by selecting an interface and setting a VLAN Tag (ID)

Then go to the "Interface Assignments" tab, at "Available network ports:" select the new VLAN, open the interface settings, enable it and configure the IP and mask.

shawty · Jul 4, 2019, 3:25 PM

@viragomann Ah.. great, found it :-) Thanks.

JKnott · Jul 4, 2019, 3:28 PM

@shawty said in Hardcoded IP address redirection:

@JKnott I have a managed switch in the lan that I can partition into as many Vlans as I need, however the actual server in question, that is the replacement that Iv'e built is actually just a VM running inside a hypervisor (Hyper-V in this case) so I can assign it any network setup I want, I could in theory actually give it the same IP as what the device is looking for, but I still don't know how to make pfSense NOT route the traffic over the WAN interface?

Assuming I changed the replacement server IP address to something not in my local lan, but not an outside address either for example 10.0.0.1 what would I then need to do in pfSense to make the redirect happen?

At this point the old device would be in 192.168.17.0/24 with pfSense at 192.168.17.3 and the replacment server sat inside a virtual switch with an IP of 10.0.0.1

Create a network, on a VLAN that represents the server network, and give the virtual machine the hard coded address. Then create a route that sends packets for that server to it, rather than out the default route. You probably want to make that network as small as possible, a /30, so as to minimize interference with other public addresses.

JKnott · Jul 4, 2019, 3:30 PM

@viragomann said in Hardcoded IP address redirection:

Then just add a simple NAT rule to the LAN, translating the destination address in packets meant to 5.6.7.8 to the IP of the the replacement server.

No need for NAT. This is just basic routing.

Incidentally, this illustrates the nonsense that comes about with the IPv4 address shortage and use of NAT. People now assume it's the normal way of doing things, rather than recognizing the hack that it is.

shawty · Jul 4, 2019, 3:32 PM

@JKnott Create the VLAN on Hyper-V or on pfSense (as @viragomann suggested)?

When you say create a route, I assume you mean in pfSense at "System->Routing"?

Thanks
Shawty

JKnott · Jul 4, 2019, 3:34 PM

@shawty said in Hardcoded IP address redirection:

@viragomann Ah.. great, found it :-) Thanks.

That takes care of the pfSense end. You still have to worry about the VM. The configuration there is pretty much the same as for any other computer, except that you now have 2 interfaces to worry about. One is the basic LAN and the other the VLAN. If you want to use both, you'll have to configure the switch port as a trunk, rather than access port, so that both are passed. Then configure the VM to use the VLAN interface.

viragomann · Jul 4, 2019, 3:35 PM

@JKnott said in Hardcoded IP address redirection:

No need for NAT. This is just basic routing.
Incidentally, this illustrates the nonsense that comes about with the IPv4 address shortage and use of NAT. People now assume it's the normal way of doing things, rather than recognizing the hack that it is.

Both methods will work. If he gives the server a private IP, NAT is the way to go, otherwise he has to use public IPs internally, which is not recommended on other sites.

shawty · Jul 4, 2019, 3:35 PM

By the way all, sorry if I'm drawing this out, but I genuinely don't know my way round pfSense, I understand networking theory and all that jazz.

My networking skills are in the GSM & Mobile telephony space with things like GTP and SS7, I'm more used to sitting at an iOS command line on a Cisco switch than I am in the world of pfSense :-)

JKnott · Jul 4, 2019, 3:36 PM

@shawty said in Hardcoded IP address redirection:

@JKnott Create the VLAN on Hyper-V or on pfSense (as @viragomann suggested)?

When you say create a route, I assume you mean in pfSense at "System->Routing"?

Yes, that's where it's done. You create the route to the network, where the server is. There is also the Static Routes page to configure.

JKnott · Jul 4, 2019, 3:39 PM

@viragomann said in Hardcoded IP address redirection:

Both methods will work. If he gives the server a private IP, NAT is the way to go, otherwise he has to use public IPs internally, which is not recommended on other sites.

He said it's a hard coded IP, which means it will be a public address. He has to create a network where that IP can exist and then route to it. Yes, I know he shouldn't be using a public address that's not his, but there's no other choice. That's why I said to make that network as small as possible.

JKnott · Jul 4, 2019, 3:41 PM

@shawty said in Hardcoded IP address redirection:

I'm more used to sitting at an iOS command line on a Cisco switch

Someone should rap your knuckles for that. Cisco switches are not made by Apple! It's IOS, not iOS.

shawty · Jul 4, 2019, 3:42 PM

@JKnott ok so let me just make sure I've got this right.

In pfSense, create a vlan using "interfaces>assignments->vlans"
in hyper-v set up my virtual server to have an ip address EG: 10.0.0.1
in hyper-v server create a virtual switch and set it's network to be something like 10.0.0.1/30 and give it a vlan tag
in pfSense create a route to go from 5.6.7.8 to 10.0.0.1 using "system->routing"
in pfSense create a static route to go from 5.6.7.8 to 10.0.0.1 using (Iv'e yet to find the static route menu)

???

Cheers
shawty

viragomann · Jul 4, 2019, 3:49 PM

@JKnott said in Hardcoded IP address redirection:

He said it's a hard coded IP, which means it will be a public address. He has to create a network where that IP can exist and then route to it.

There's no reason, why it shouldn't work with a private IP and NAT.
The responding machine sends its request to the origin public address, pfSense forwards the request to the internal IP. When the internal server responses, pfSense translates the source IP back to the origin public.
The requesting machine won't notice that the request comes from an internal server.
Realized several times.