Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    1:1 NAT Troubles - return traffic issue

    NAT
    11 nat
    2
    9
    69
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bdf0506 last edited by bdf0506

      I'm having an issue configuring a 1:1 NAT. I have an ESXi host that has a DMZ interface with 1.2.3.0/24 for the WAN, and using 192.168.10.0/24 for the LAN. I am running pfSense on this host.

      WAN: 1.2.3.20
      LAN: 192.168.10.1

      Ultimately, I am trying to configure a 1:1 NAT, so that 1.2.3.21 -> 192.168.10.21. Seems simple enough.

      I went to the 1:1 NAT page and set:
      Interface: WAN
      External Subnet IP: 1.2.3.21
      Internal IP: Single host, 192.168.10.21

      When I do this, if I try to reach 1.2.3.21:443 from the outside (let's call my source ip 2.3.4.5), I see the traffic reaching the 192.168.10.21 host in a tcpdump on that hose, and responding back to 2.3.4.5. Problem is, I never see the return packet to 2.3.4.5 hit the pfSense - in fact, i don't see any traffic from 192.168.10.21 hit the pfsense, so it seems like it doesn't know how to get back to pfsense to send it back to me.

      Maybe I am missing a route of some sort? What am I doing wrong here?

      N 1 Reply Last reply Reply Quote 0
      • N
        netblues @bdf0506 last edited by

        @bdf0506 192.168.10.21 default gateway points to?

        1 Reply Last reply Reply Quote 0
        • B
          bdf0506 last edited by

          192.168.10.21 points to 192.168.10.254. I'm guessing I need it to point to pfsense lan address, but if I do that, it presents a whole new problem, as I don't control the gateway - a third party does, and I can't modify the gateway that is being used and I really can't mess with those routes.

          I'll have to play around with this if you believe that is the issue.

          N 1 Reply Last reply Reply Quote 0
          • N
            netblues @bdf0506 last edited by

            @bdf0506 I don't think. I'm sure. You need to have default gateway pointing to pf.

            Or make 192.168.10.254 forward all traffic to pf.

            1 Reply Last reply Reply Quote 0
            • B
              bdf0506 last edited by

              Got it. Thanks for keeping me in check on this. I don't this this setup will work given my arch.

              1 Reply Last reply Reply Quote 0
              • B
                bdf0506 last edited by

                @netblues here's the full use case, let's see if you can help me come to a solution - any help is much appreciated.

                On a network that I do not manage, and can't make any modifications to, I've been given 2 ESXi hosts. Each ESXi has two port groups available - one is the DMZ network in 1.2.3.0/24 and the other is the internal network 192.168.10.0/24. The ESXi hosts are IP'd in the 192.168.10.0/24 subnet and ESXi 1 is 192.168.10.11, ESXi 2 is 192.168.10.12, and the GW for this network is 192.168.10.254.

                While I can simply use the 1.2.3.0/24 DMZ for the host IPs, I will have no control on the traffic that is coming into these hosts, as I'd like to apply firewall rules and see activity to the hosts.

                I would rather IP my hosts in 192.168.10.0/24, and run a 1:1 NAT from the DMZ to the internal hosts. I gave the WAN interface of pfSense 1.2.3.20 (which is connected to the DMZ port group), and gave the LAN interface 192.168.10.1 (which is connected to the management network port group). As mentioned before, I can't adjust the gateway of the hosts, so the hosts will have to run through 192.168.10.254. I think without being able to modify the gateway, there's nothing I can really do.

                I thought of creating an internal only subnet to use, but I won't be able to share that subnet between both ESXi hosts, and also other hosts outside this network won't ever be able to find this subnet since the rest of the network doesn't know about this private network. I also thought about carving out part of the 192.168.10.0/24 network for use as well, but there would be too many other routing issues.

                Any other ideas that could solve this? Thanks for the help.

                N 1 Reply Last reply Reply Quote 0
                • N
                  netblues @bdf0506 last edited by

                  @bdf0506 said in 1:1 NAT Troubles - return traffic issue:

                  @netblues here's the full use case, let's see if you can help me come to a solution - any help is much appreciated.

                  I've been given 2 ESXi hosts.
                  Any other ideas that could solve this? Thanks for the help.

                  Does this mean that you are administering the guest hosts? You are root/administrator and can make changes on the guest os settings?

                  B 1 Reply Last reply Reply Quote 0
                  • B
                    bdf0506 @netblues last edited by

                    @netblues yes, that is correct. I have full root access to the ESXi host and the guest hosts as well on the ESXi. I just don’t have access to make any network changes outside of what is available to me outside of ESXi.

                    N 1 Reply Last reply Reply Quote 0
                    • N
                      netblues @bdf0506 last edited by

                      Now I'm confused.
                      You have two guest hosts on esxi, one of them being the pf.
                      And you have full admin access on the guests.
                      So you can change the default gw on host1 to point to pf lan on host2.
                      I suspect these two are on the same bridge or other common interface.

                      As for the rest of the network, you can route eg all rfc1918 ip space to original default gw and keep everybody at bay.

                      Perhaps I'm missing something here. Please elaborate.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post

                      Products

                      • Platform Overview
                      • TNSR
                      • pfSense
                      • Appliances

                      Services

                      • Training
                      • Professional Services

                      Support

                      • Subscription Plans
                      • Contact Support
                      • Product Lifecycle
                      • Documentation

                      News

                      • Media Coverage
                      • Press
                      • Events

                      Resources

                      • Blog
                      • FAQ
                      • Find a Partner
                      • Resource Library
                      • Security Information

                      Company

                      • About Us
                      • Careers
                      • Partners
                      • Contact Us
                      • Legal
                      Our Mission

                      We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                      Subscribe to our Newsletter

                      Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                      © 2021 Rubicon Communications, LLC | Privacy Policy