Hardcoded IP address redirection



  • Hi All,

    I have an old hardware device that I use for testing and collecting data. The manufacturer of the device has gone out of business now, and the device will not boot up correctly without being able to connect to and check a service on their server.

    Their server is no longer online, and so this device cannot reach the service and is basically stuck in limbo essentially useless.

    The job this device does, it does very well, so I really don't want to replace it (It wasn't cheep to start with either) , so I'd like to if I can redirect it's traffic to an internal server in my network.

    I know exactly what it's doing/trying to do and I've set up a server inside my network to respond to it's requests in the manner it expects, the IP address of the server it tries to connect to however appears to be hard coded into the devices firmware (There's no options to change it in the config) and it ALWAYS attempts to connect to the same external IP address, no DNS lookups or anything just straight forward IP access on a few different ports.

    How can I make my pfSense router which acts as my main network gateway send all requests to EG: 5.6.7.8 to the server inside my network EG: 192.168.17.174 rather than them leaving my network and going out the WAN interface onto the internet?

    Here's a rather badly drawn diagram for those who need it (I hacked it together in Mspaint)

    redirect diagram

    I'm guessing I may be able to do this using NAT, but all I seem to be able to find in the pfSense docs and guides is NAT examples relating to external to internal port forwarding and similar, there's very little documentation I can find that addresses single IP address redirection.

    Cheers
    Shawty



  • @shawty

    You could probably do it by creating a network with the address range and routing to it, but what about the server it's looking for? What happens when it gets no response from that address? Do you know what it's supposed to provide so that you can emulate it?



  • @JKnott I do indeed, as you can see from my original question, Iv'e already built and programmed a replacement server, I just need to know how to redirect to said server.

    I now control the replacement, and can change it in anyway I need.



  • First off, if that server is on the local network, pfSense will not do anything other than send out an ICMP redirect. This means you have to do something that puts that server on a different network. That is easy enough to do, either with another NIC or VLAN. Then set up a routing rule appropriately.



  • @JKnott I have a managed switch in the lan that I can partition into as many Vlans as I need, however the actual server in question, that is the replacement that Iv'e built is actually just a VM running inside a hypervisor (Hyper-V in this case) so I can assign it any network setup I want, I could in theory actually give it the same IP as what the device is looking for, but I still don't know how to make pfSense NOT route the traffic over the WAN interface?

    Assuming I changed the replacement server IP address to something not in my local lan, but not an outside address either for example 10.0.0.1 what would I then need to do in pfSense to make the redirect happen?

    At this point the old device would be in 192.168.17.0/24 with pfSense at 192.168.17.3 and the replacment server sat inside a virtual switch with an IP of 10.0.0.1

    Cheers
    Shawty



  • @shawty said in Hardcoded IP address redirection:

    Assuming I changed the replacement server IP address to something not in my local lan, but not an outside address either for example 10.0.0.1 what would I then need to do in pfSense to make the redirect happen?

    Define a VLAN on pfSense and put the replacement server into it.
    Then just add a simple NAT rule to the LAN, translating the destination address in packets meant to 5.6.7.8 to the IP of the the replacement server.



  • @viragomann Hi, forgive my numptyness here, but I can't find any menus anywhere in my pfSense web panel that say anything about setting up a VLAN.

    My main problem here, is I know a fair bit about networking, but I know next to nothing about how to configure pfSense.

    Can you tell me menu, for menu where I need to look for the things I need to do?



  • Interfaces > Assignments > VLANs
    Here you have to define the VLAN by selecting an interface and setting a VLAN Tag (ID)

    Then go to the "Interface Assignments" tab, at "Available network ports:" select the new VLAN, open the interface settings, enable it and configure the IP and mask.



  • @viragomann Ah.. great, found it :-) Thanks.



  • @shawty said in Hardcoded IP address redirection:

    @JKnott I have a managed switch in the lan that I can partition into as many Vlans as I need, however the actual server in question, that is the replacement that Iv'e built is actually just a VM running inside a hypervisor (Hyper-V in this case) so I can assign it any network setup I want, I could in theory actually give it the same IP as what the device is looking for, but I still don't know how to make pfSense NOT route the traffic over the WAN interface?

    Assuming I changed the replacement server IP address to something not in my local lan, but not an outside address either for example 10.0.0.1 what would I then need to do in pfSense to make the redirect happen?

    At this point the old device would be in 192.168.17.0/24 with pfSense at 192.168.17.3 and the replacment server sat inside a virtual switch with an IP of 10.0.0.1

    Create a network, on a VLAN that represents the server network, and give the virtual machine the hard coded address. Then create a route that sends packets for that server to it, rather than out the default route. You probably want to make that network as small as possible, a /30, so as to minimize interference with other public addresses.



  • @viragomann said in Hardcoded IP address redirection:

    Then just add a simple NAT rule to the LAN, translating the destination address in packets meant to 5.6.7.8 to the IP of the the replacement server.

    No need for NAT. This is just basic routing.

    Incidentally, this illustrates the nonsense that comes about with the IPv4 address shortage and use of NAT. People now assume it's the normal way of doing things, rather than recognizing the hack that it is.



  • @JKnott Create the VLAN on Hyper-V or on pfSense (as @viragomann suggested)?

    When you say create a route, I assume you mean in pfSense at "System->Routing"?

    Thanks
    Shawty



  • @shawty said in Hardcoded IP address redirection:

    @viragomann Ah.. great, found it :-) Thanks.

    That takes care of the pfSense end. You still have to worry about the VM. The configuration there is pretty much the same as for any other computer, except that you now have 2 interfaces to worry about. One is the basic LAN and the other the VLAN. If you want to use both, you'll have to configure the switch port as a trunk, rather than access port, so that both are passed. Then configure the VM to use the VLAN interface.



  • @JKnott said in Hardcoded IP address redirection:

    No need for NAT. This is just basic routing.
    Incidentally, this illustrates the nonsense that comes about with the IPv4 address shortage and use of NAT. People now assume it's the normal way of doing things, rather than recognizing the hack that it is.

    Both methods will work. If he gives the server a private IP, NAT is the way to go, otherwise he has to use public IPs internally, which is not recommended on other sites.



  • By the way all, sorry if I'm drawing this out, but I genuinely don't know my way round pfSense, I understand networking theory and all that jazz.

    My networking skills are in the GSM & Mobile telephony space with things like GTP and SS7, I'm more used to sitting at an iOS command line on a Cisco switch than I am in the world of pfSense :-)



  • @shawty said in Hardcoded IP address redirection:

    @JKnott Create the VLAN on Hyper-V or on pfSense (as @viragomann suggested)?

    When you say create a route, I assume you mean in pfSense at "System->Routing"?

    Yes, that's where it's done. You create the route to the network, where the server is. There is also the Static Routes page to configure.



  • @viragomann said in Hardcoded IP address redirection:

    Both methods will work. If he gives the server a private IP, NAT is the way to go, otherwise he has to use public IPs internally, which is not recommended on other sites.

    He said it's a hard coded IP, which means it will be a public address. He has to create a network where that IP can exist and then route to it. Yes, I know he shouldn't be using a public address that's not his, but there's no other choice. That's why I said to make that network as small as possible.



  • @shawty said in Hardcoded IP address redirection:

    I'm more used to sitting at an iOS command line on a Cisco switch

    Someone should rap your knuckles for that. Cisco switches are not made by Apple! It's IOS, not iOS. ๐Ÿ˜‰



  • @JKnott ok so let me just make sure I've got this right.

    1. In pfSense, create a vlan using "interfaces>assignments->vlans"
    2. in hyper-v set up my virtual server to have an ip address EG: 10.0.0.1
    3. in hyper-v server create a virtual switch and set it's network to be something like 10.0.0.1/30 and give it a vlan tag
    4. in pfSense create a route to go from 5.6.7.8 to 10.0.0.1 using "system->routing"
    5. in pfSense create a static route to go from 5.6.7.8 to 10.0.0.1 using (Iv'e yet to find the static route menu)

    ???

    Cheers
    shawty



  • @JKnott said in Hardcoded IP address redirection:

    He said it's a hard coded IP, which means it will be a public address. He has to create a network where that IP can exist and then route to it.

    There's no reason, why it shouldn't work with a private IP and NAT.
    The responding machine sends its request to the origin public address, pfSense forwards the request to the internal IP. When the internal server responses, pfSense translates the source IP back to the origin public.
    The requesting machine won't notice that the request comes from an internal server.
    Realized several times.



  • @JKnott

    @JKnott said in Hardcoded IP address redirection:

    @shawty said in Hardcoded IP address redirection:

    I'm more used to sitting at an iOS command line on a Cisco switch

    Someone should rap your knuckles for that. Cisco switches are not made by Apple! It's IOS, not iOS. ๐Ÿ˜‰

    Sorry :-( LOL.... I'll consider my knuckles rapped (For what it's worth I have a similar aversion to fruit based technology, imagine the reply my boss got when I was told they where going to train me on blackberry servers)



  • @viragomann said in Hardcoded IP address redirection:

    There's no reason, why it shouldn't work with a private IP and NAT.

    Does pfSense support LAN to LAN NAT?



  • @shawty said in Hardcoded IP address redirection:

    I'll consider my knuckles rapped (For what it's worth I have a similar aversion to fruit based technology, imagine the reply my boss got when I was told they where going to train me on blackberry servers)

    I'm allergic to Apple gear. ๐Ÿ˜‰



  • @viragomann said in Hardcoded IP address redirection:

    @JKnott said in Hardcoded IP address redirection:

    He said it's a hard coded IP, which means it will be a public address. He has to create a network where that IP can exist and then route to it.

    There's no reason, why it shouldn't work with a private IP and NAT.
    The responding machine sends its request to the origin public address, pfSense forwards the request to the internal IP. When the internal server responses, pfSense translates the source IP back to the origin public.
    The requesting machine won't notice that the request comes from an internal server.
    Realized several times.

    Sorry, been reading, didn't notice this reply:

    So are you saying that I don't actually need Vlans here then? Let's say:

    Device = 192.168.17.140 tries to connect to 5.6.7.8
    pfSense-LAN = 192.168.17.3
    pfSense-WAN = 1.2.3.4
    NEW-Server = 10.0.0.1

    Can I then just set up a NAT rule, on the pfSense LAN interface that says (Make any IP that's equal to 5.6.7.8 become equal to 10.0.0.1) along with a corresponding LAN rule that does the reverse, and not configure any Vlans anywhere at all?



  • @shawty said in Hardcoded IP address redirection:

    @JKnott ok so let me just make sure I've got this right.

    1. In pfSense, create a vlan using "interfaces>assignments->vlans"
    2. in hyper-v set up my virtual server to have an ip address EG: 10.0.0.1
    3. in hyper-v server create a virtual switch and set it's network to be something like 10.0.0.1/30 and give it a vlan tag
    4. in pfSense create a route to go from 5.6.7.8 to 10.0.0.1 using "system->routing"
    5. in pfSense create a static route to go from 5.6.7.8 to 10.0.0.1 using (Iv'e yet to find the static route menu)

    ???

    That's the general idea. I find the best way to learn something is to try it and then ask here if any issues turn up.



  • @JKnott Yea I find that too, but in this case I have to be careful I don't kill the pfSense setup as I have other users who rely on it's connectivity too, I also have some public facing sites of my own that are forwarded from WAN -> LAN accessible to some of my clients, so I've got to tread a little carefully here :-)

    I'm currently reading a load of different posts on different aspects of pfSense.

    Cheers
    Shawty



  • @JKnott said in Hardcoded IP address redirection:

    Does pfSense support LAN to LAN NAT?

    No, but you can NAT between different internal interface like LAN1 <> LAN2.



  • @shawty said in Hardcoded IP address redirection:

    So are you saying that I don't actually need Vlans here then?

    You need VLAN anyway. NAT only works between different networks.



  • @viragomann said in Hardcoded IP address redirection:

    @shawty said in Hardcoded IP address redirection:

    So are you saying that I don't actually need Vlans here then?

    You need VLAN anyway. NAT only works between different networks.

    Question: Can I make one interface on pfSense have 2 different IP addresses? For example in the windows machine I type this on, I only have one physical NIC, but I have an adress in the 192.168.17.0/24 network and an address in the 192.168.40.0/24 network on it (The lights out controllers for my servers are all in the 40 subnet)



  • @viragomann said in Hardcoded IP address redirection:

    No, but you can NAT between different internal interface like LAN1 <> LAN2.

    Then you're back to basic routing with no need for NAT.

    NAT has become a curse on networking, because so many think it's the normal or even proper way to do things. Why use it, when it's not necessary, as in this case???



  • @shawty said in Hardcoded IP address redirection:

    Question: Can I make one interface on pfSense have 2 different IP addresses?

    Yes, you can create an alias, but it won't fix the problem. When a packet for that network hits pfSense, it will see that the destination is on the same wire and send out an ICMP redirect saying to go to that destination directly and don't bother him.



  • @shawty said in Hardcoded IP address redirection:

    Can I make one interface on pfSense have 2 different IP addresses?

    Firewall > Virtual IPs
    Add additional IPs here, use type "IP alias".



  • @JKnott oh, of course..... (Slaps Self) it's exactly the same reason why you get backhaul redirects if you try to bind two MSC's to the same interface on an SGSN node inside the BSS subsystem on a GSM network.

    Makes total sense how the Vlan's come into play now... I was so busy thinking about this from a pfSense/PC point of view that I never stopped to think about the parallels of how I would do it on a GSM setup.

    Right then, off I shall go and give all this a try then.....

    You'll know if it didn't work, you'll see a mushroom cloud go up over north east England :-)

    Cheers
    Shawty



  • @shawty said in Hardcoded IP address redirection:

    You'll know if it didn't work, you'll see a mushroom cloud go up over north east England :-)

    I thought that was the Russian nuclear sub that caught fire the other day. ๐Ÿ˜‰



  • PS: I'll report back once I have any more to say ....

    Thanks all for your help so far.


Log in to reply