First configuration : NAT
I'm quite lost with NAT I think.
I'm trying to configure a 3 interfaces SG-1100:
- WAN = 192.168.1.253/24
- DMZ = 10.10.12.254/24 + Linux server @ 10.10.12.1
- LAN = 10.10.10.254/24
LAN to WAN (outbound NAT) looks working.
LAN to DMZ (1:1) is not.
WAN to DMZ (port forward) not tested
What I want : each 10.10.10.0/24 IP to be nat 1:1 on DMZ interface in 10.10.12.0/24.
So I tried 1:1 with :
- Interface : DMZ
- External IP : 10.10.12.0/24
- Internal IP : 10.10.10.0/24
But I can't manage to ping 10.10.12.1 from my lan :/
Any idea what I should look at?
Side question: how do I get rid of all "IPv6 alerts" in system logs?
Why? What are you really trying to do here?
Huh? Why would you be natting anything between 2 rfc1918 network?
I want to mask my internal network.
My server (10.10.12.1) is in DMZ and all my other devices are in LAN.
I want to be able to communicate directly with any device in LAN from my server for several purpose (like SNMP monitoring, Syslog; NFS, SMB, etc).
I want any of my LAN device to have a unique IP in DMZ.
Exemple: my internal switch with IP 10.10.10.253 in LAN must be seen as 10.10.12.253 in DMZ
As I have many devices in my LAN, I would like to NAT all of them at once and not one by one.
Note: it is something I'm already doing with my PIX, I would like to reproduce the same behaviour.
static (inside,dmz) 10.10.12.0 10.10.10.0 netmask 255.255.255.0
Note2: not doing so would mean I have to reconfigure absolutely every services on my server and I would like not to do it if possible.
@johnpoz no, from anyone that would be able to connect to my server in DMZ and able to successfully exploit a vulnerability.
Should I really need to explain why I want to do that?
The simple answer is : I was doing this with my Pix and all my configuration is based on that.
I want to reproduce this behavior.
Isn't it possible with pfSense?
Does it have any drawbacks?
from anyone that would be able to connect to my server in DMZ and able to successfully exploit a vulnerability.
You understand if your calling it a dmz.. it wouldn't be able to even connect to your lan - no matter if they know the IP or not..
While you can allow connections from your lan to your "dmz" vlan - just set your rules so that anything in the dmz can not start a conversation with anything in your lan.
Or just allow specific that you might need, for example some of my restricted vlans.. like my roku vlan can talk to my plex on port 32400.. But they need to know what that IP is, etc.. Be it hidden or not wouldn't matter.. If say they exploited some box and know that it was talking to plex be it IP looking like it was 10.1.10.x or 10.1.12.x etc.. The traffic is either allowed or not - masking what the IP is does nothing.
Example - here is a limited vlan example. devices in this vlan can ping pfsense IP in that vlan, dns and ntp. But everything else is not possible.
@johnpoz I understand all of that... I shouldn't have to say it but I work in computer security for more than twenty years, so yeah I know all of that.
This is not my question, I would like to know if it's possible to do it or not?
Because I don't want to have to reconfigure anything and my reasons to obfuscate my lan stand because I don't like simplify the job for hackers. But really, why should I have to justify myself on something rather standard?
Sure you can nat to anything you want - you would just have to set it up... Just POINTLESS..
Not asking you to justify anything - just trying to understand why anyone would do such a thing.. Does nothing but over complex something that serves no purpose. And provides no extra anything from a security standpoint.
@johnpoz please stop because it's going nowhere.
That's your opinion, not mine.
Simply the fact that I would not have to reconfigure everything should be enough for you.
I just want to know how to do it. If you don't want to help, fine, but please stop with what you are doing
For this to work - the IPs that would be natted would have to exist on pfsense interface - so @KOM you setup vips in this 10.1.10 network on pfsense?
If you have a network 10.1.10 as lan, and 10.1.12 as dmz
And you want to hit 10.1.10.X and get natted 1:1 to dmz that .X would have to be an IP on pfsense lan interface. Or why would the traffic ever get sent to pfsense to get natted and sent to its 1:1 match up in 10.1.12
Here - I setup a vip on my lan 192.168.9.32, setup a 1:1 nat to 192.168.3.32 (my dmz vlan)
Now I ping 192.168.9.32 from client on my lan 192.168.9.100, it gets answers. And via the sniff done on pfsense dmz interface you can see the traffic was sent and answered by 192.168.3.32
Now if this has something to do with the multi wan nat issue - but seems to be working as expected on 21.02.2
This sort of setup just doesn't make any sense from any way you look at.. Be it you hide the actual IP from lan or not - the access is still there..
@johnpoz Sure did. When I couldn't get it going, I double-checked the docs at
In my KVM lab, I created my VIP on my DMZ, then a 1:1 NAT to a Mint box on LAN. Server on DMZ could not ping the VIP successfully. Now I also have block rules on DMZ to prevent traffic to LAN, but I assumed the NAT would bypass that. Perhaps I'm wrong?
Do you have rule that prevents access to your vip?
@johnpoz The DMZ, VIP and ubuntu server are all on the same subnet so rules shouldn't matter, but no I don't have anything specific to that VIP.
Block to VLAN20 net
Block to LAN net
Allow DMZ to Any
and that's it.
So you still need a rule that allows the nat.. Here I just blocked access on lan to 192.168.3.32
And if try and ping 192.168.9.32 it fails.
@johnpoz I added an Allow rule on DMZ for my VIP and it still doesn't work.
Do me a favour and recreate your test going the other way, DMZ to LAN instead of LAN to DMZ? My tiny brain is spinning trying to keep my lab setup, your config and his config all straight.
Meanwhile it's lunchtime. Back in a few.
Ok flipped it - doesn't matter
Put the vip on the dmz interface, setup the 1:1 nat on the dmz interface, created a firewall rule to allow that access to the 9.100 IP..
Works just fine..
For my next trick - I will go wash my car in the rain.. Then water my lawn.. Same sort of nonsense as doing this sort of thing.
@johnpoz OK I got it working. I had my allow rule pointing to my VIP instead of the LAN address I was natting to.
Yeah the nat rule is evaluated before the firewall rule - but the actual traffic has to be allowed for it to work.. Just like any normal port forward..
@johnpoz I know all of that which makes it extra-stupid on my part.
Hi both, thanks for your investigations.
However, it's not a single IP I would like to nat 1:1 but a whole network.
If you need screens, I'll post them this afternoon.
And how would you do that when some IPs on the network you want to nat are on device on that L2..
If you have 10.1.10 on A, and 10.1.12 on B you can not 1:1 nat either of those for a whole network.. You would need a 3rd network. Say 10.1.11
@johnpoz why that ?
Of course I would not NAT the server IP.
Honestly, it's working with the Pix and it's bugging me it's not working with pfSense/Netgate :(
Should I make a NAT exception for the Server IP and the pfSense IP (if possible)?
You can't have the same IP in 2 places. if you have device 10.1.10.x on a device in A, how can you also say 10.1.10.x nats to 10.1.12.x
In my example, I don't have a 192.168.9.32 device, nor do I have a 192.168.3.100 device
@johnpoz I don't have such device, the only concern is how pfsense is handling arp, does it create a nat only when a device goes through the netgate or does it make a reservation for the whole network ?
Basically if internall I don't have a 10.10.12.1 device, i will not have any problem reaching the server in DMZ, of course if I have a 10.10.10.1 device and try to reach 10.10.12.1 from it, it wont work but that's not what I have.
So should I configure a /24 1:1 NAT (with eventually a NAT exclusion if necessary and possible) or should I break it down in smaller subnets (/25, etc)? Better option: can we nat an IP range instead of a subnet?
If you create vip in a range.. It will answer arp for any of those IPs.. The only way to create such a range is via the proxy arp vip.
This can be problematic if you have a host in that actual range. On which device answers the arp first, or at all..
Like I said your complicating the design of the network - for no real added security at all. More complex leads to greater chance of issues, greater chance of configuration mistakes..
There is really no reason to nat rfc1918 to rfc1918.. I could see doing it if you were trying to get a device without a gateway to talk to something else in another vlan.. If you needed vlans that are on the same IP space to be able to talk to each other.. There are some reasons where you might have to do it.
I am not seeing it at all in this scenario.. It sure is not a security anything to do it this way, if anything it reduces your overall security because your more complex setup makes for more likely mistakes that expose more than you desire.
@johnpoz there are plenty of reasons I'm doing this but that's not the subject (again, the simple fact I want to reproduce what I already have should be enough for you).
I guess I will have to find by myself or ask somewhere else.
At least with cisco I had plenty of different scenarii cases I can try (with plenty of errors I have to admit).
I've never been in front of such hostility on what I'm trying to implement.
@freyja No hostility. Asking why you're doing what you're doing isn't an attack. Maybe you're doing something unusual to get around some edge case we haven't seen before and we could learn from it. Either way you seem quite reluctant to explain what you're doing.
there are plenty of reasons I'm doing this
Like what, for instance?
In a lot of cases, people decide on a course of action that is either wrong or sub-optimal and they ask specific questions when they would be better off explaining what they want to accomplish and getting suggestions on the best way to do it with pfSense.
Anyway, you have been given your NAT solution. There is no automatic way to map every LAN client to a VIP on your DMZ and a NAT for that VIP. You will have to set them up one by one.
I was able to make the NAT work, it was a typo in the subnet mask of the interface (/32 instead of /24).
My inside devices are correctly natted into DMZ according to their LAN IP (i.e. 10.10.10.20 natted to 10.10.12.20).
However, it looks like I have an ARP problem, the netgate doesn't answer arp request for these IP except its own IP.
If I force the entry in ARP table of my server the flow is working perfectly.
Any idea ?
Here is a short extract of tcpdump on dmz interface of netgate:
11:56:35.832233 ARP, Request who-has 10.10.12.102 tell 10.10.12.1, length 46
11:56:35.896216 ARP, Request who-has 10.10.12.100 tell 10.10.12.1, length 46
11:56:35.896226 ARP, Request who-has 10.10.12.201 tell 10.10.12.1, length 46
11:56:36.339999 ARP, Request who-has 10.10.12.48 tell 10.10.12.1, length 46
11:56:36.877575 ARP, Request who-has 10.10.12.102 tell 10.10.12.1, length 46
As an addition, I think there were some misunderstanding somewhere.
I'm not using any VIP, I'm using only interface IP and I do not see anywhere how to configure ARP
I'm not using any VIP
Then why in the world would you think some interface would answer an arp request, when it doesn't have that IP on it..
If you want pfsense to answer arp for an IP that is not assigned to the interface - it needs a vip, if you want it to answer arp for every IP in a cidr then setup a proxy arp vip.
Where you could have an ISSUE - which I thought I went over with already. Is if you have pfsense arp for any IP in /X - if you have some device on the network with an IP. Which arp is your client looking for IP abc going to see first - the actual client, or pfsense vip?
@johnpoz oh ok.
I thought NAT 1:1 would have been enough.
So let me rephrase.
If I setup a NAT 1:1 for an IP like this :
- external (DMZ): 10.10.12.246
- internal (LAN): 10.10.10.246
I have also to setup a VIP (10.10.12.246) in DMZ for the firewall?
Am I right there?
No if pfsense dmz interface IP is 10.10.12.246 it would answer arp for its own address.. You need a vip when you want pfsense to answer arps for IPs that are not assigned to its own interface in that L2.
if you want pfsense to answer arp for 10.10.12.242 for example - then you would need a vip for that IP.
@johnpoz No, the firewall is on 10.10.12.254.
I get it now, completely missed that part for proxy-arp as cisco pix do it natively, I thought setting up the NAT would be enough.
And I do understand the concern now as it's not possible to setup a range for VIP.
I will make some test.
Thanks for the answer.
@johnpoz ok it works now that I added VIP for all the IP I need.
Thanks for helping.
Your welcome - still no point in doing this. It provides nothing but complexity, not any added security.
@johnpoz let's agree to disagree
@freyja You consistently refuse to say what you're doing despite being asked several times. You told me that there were "plenty of reasons" to do what you're doing, and when I asked you to name even one (because neither John nor I could think of even one case that makes sense), you ducked yet again. At this point I'm going to stop asking and just assume it's something illegal.