First configuration : NAT

Freyja

@johnpoz I understand all of that... I shouldn't have to say it but I work in computer security for more than twenty years, so yeah I know all of that.

This is not my question, I would like to know if it's possible to do it or not?

Because I don't want to have to reconfigure anything and my reasons to obfuscate my lan stand because I don't like simplify the job for hackers. But really, why should I have to justify myself on something rather standard?

johnpoz

Sure you can nat to anything you want - you would just have to set it up... Just POINTLESS..

Not asking you to justify anything - just trying to understand why anyone would do such a thing.. Does nothing but over complex something that serves no purpose. And provides no extra anything from a security standpoint.

Freyja

@johnpoz please stop because it's going nowhere.

That's your opinion, not mine.
Simply the fact that I would not have to reconfigure everything should be enough for you.

I just want to know how to do it. If you don't want to help, fine, but please stop with what you are doing

KOM

@freyja I can't get it working either after playing with it for a few minutes. I wonder if this is another manifestation of the multi-wan NAT bug?

johnpoz

For this to work - the IPs that would be natted would have to exist on pfsense interface - so @KOM you setup vips in this 10.1.10 network on pfsense?

If you have a network 10.1.10 as lan, and 10.1.12 as dmz

And you want to hit 10.1.10.X and get natted 1:1 to dmz that .X would have to be an IP on pfsense lan interface. Or why would the traffic ever get sent to pfsense to get natted and sent to its 1:1 match up in 10.1.12

Here - I setup a vip on my lan 192.168.9.32, setup a 1:1 nat to 192.168.3.32 (my dmz vlan)

Now I ping 192.168.9.32 from client on my lan 192.168.9.100, it gets answers. And via the sniff done on pfsense dmz interface you can see the traffic was sent and answered by 192.168.3.32

Now if this has something to do with the multi wan nat issue - but seems to be working as expected on 21.02.2

This sort of setup just doesn't make any sense from any way you look at.. Be it you hide the actual IP from lan or not - the access is still there..

KOM

@johnpoz Sure did. When I couldn't get it going, I double-checked the docs at

https://docs.netgate.com/pfsense/en/latest/nat/1-1.html

In my KVM lab, I created my VIP on my DMZ, then a 1:1 NAT to a Mint box on LAN. Server on DMZ could not ping the VIP successfully. Now I also have block rules on DMZ to prevent traffic to LAN, but I assumed the NAT would bypass that. Perhaps I'm wrong?

johnpoz

Do you have rule that prevents access to your vip?

KOM

@johnpoz The DMZ, VIP and ubuntu server are all on the same subnet so rules shouldn't matter, but no I don't have anything specific to that VIP.

Block to VLAN20 net
Block to LAN net
Allow DMZ to Any

and that's it.

johnpoz

So you still need a rule that allows the nat.. Here I just blocked access on lan to 192.168.3.32

And if try and ping 192.168.9.32 it fails.

KOM

@johnpoz I added an Allow rule on DMZ for my VIP and it still doesn't work.

Do me a favour and recreate your test going the other way, DMZ to LAN instead of LAN to DMZ? My tiny brain is spinning trying to keep my lab setup, your config and his config all straight.

Meanwhile it's lunchtime. Back in a few.

johnpoz

Ok flipped it - doesn't matter

Put the vip on the dmz interface, setup the 1:1 nat on the dmz interface, created a firewall rule to allow that access to the 9.100 IP..

Works just fine..

For my next trick - I will go wash my car in the rain.. Then water my lawn.. Same sort of nonsense as doing this sort of thing.

KOM

@johnpoz OK I got it working. I had my allow rule pointing to my VIP instead of the LAN address I was natting to.

johnpoz

Yeah the nat rule is evaluated before the firewall rule - but the actual traffic has to be allowed for it to work.. Just like any normal port forward..

KOM

@johnpoz I know all of that which makes it extra-stupid on my part.

Freyja

Hi both, thanks for your investigations.

However, it's not a single IP I would like to nat 1:1 but a whole network.

If you need screens, I'll post them this afternoon.

johnpoz

And how would you do that when some IPs on the network you want to nat are on device on that L2..

If you have 10.1.10 on A, and 10.1.12 on B you can not 1:1 nat either of those for a whole network.. You would need a 3rd network. Say 10.1.11

Freyja

@johnpoz why that ?

Of course I would not NAT the server IP.
Honestly, it's working with the Pix and it's bugging me it's not working with pfSense/Netgate :(

Should I make a NAT exception for the Server IP and the pfSense IP (if possible)?

johnpoz

You can't have the same IP in 2 places. if you have device 10.1.10.x on a device in A, how can you also say 10.1.10.x nats to 10.1.12.x

In my example, I don't have a 192.168.9.32 device, nor do I have a 192.168.3.100 device

Freyja

@johnpoz I don't have such device, the only concern is how pfsense is handling arp, does it create a nat only when a device goes through the netgate or does it make a reservation for the whole network ?

Basically if internall I don't have a 10.10.12.1 device, i will not have any problem reaching the server in DMZ, of course if I have a 10.10.10.1 device and try to reach 10.10.12.1 from it, it wont work but that's not what I have.

So should I configure a /24 1:1 NAT (with eventually a NAT exclusion if necessary and possible) or should I break it down in smaller subnets (/25, etc)? Better option: can we nat an IP range instead of a subnet?

johnpoz

If you create vip in a range.. It will answer arp for any of those IPs.. The only way to create such a range is via the proxy arp vip.

This can be problematic if you have a host in that actual range. On which device answers the arp first, or at all..

Like I said your complicating the design of the network - for no real added security at all. More complex leads to greater chance of issues, greater chance of configuration mistakes..

There is really no reason to nat rfc1918 to rfc1918.. I could see doing it if you were trying to get a device without a gateway to talk to something else in another vlan.. If you needed vlans that are on the same IP space to be able to talk to each other.. There are some reasons where you might have to do it.

I am not seeing it at all in this scenario.. It sure is not a security anything to do it this way, if anything it reduces your overall security because your more complex setup makes for more likely mistakes that expose more than you desire.

Freyja

@johnpoz there are plenty of reasons I'm doing this but that's not the subject (again, the simple fact I want to reproduce what I already have should be enough for you).

I guess I will have to find by myself or ask somewhere else.

At least with cisco I had plenty of different scenarii cases I can try (with plenty of errors I have to admit).

I've never been in front of such hostility on what I'm trying to implement.

KOM

@freyja No hostility. Asking why you're doing what you're doing isn't an attack. Maybe you're doing something unusual to get around some edge case we haven't seen before and we could learn from it. Either way you seem quite reluctant to explain what you're doing.

there are plenty of reasons I'm doing this

Like what, for instance?

In a lot of cases, people decide on a course of action that is either wrong or sub-optimal and they ask specific questions when they would be better off explaining what they want to accomplish and getting suggestions on the best way to do it with pfSense.

Anyway, you have been given your NAT solution. There is no automatic way to map every LAN client to a VIP on your DMZ and a NAT for that VIP. You will have to set them up one by one.

Freyja

Hi,

I was able to make the NAT work, it was a typo in the subnet mask of the interface (/32 instead of /24).
My inside devices are correctly natted into DMZ according to their LAN IP (i.e. 10.10.10.20 natted to 10.10.12.20).

However, it looks like I have an ARP problem, the netgate doesn't answer arp request for these IP except its own IP.
If I force the entry in ARP table of my server the flow is working perfectly.
Any idea ?

Freyja

Here is a short extract of tcpdump on dmz interface of netgate:
11:56:35.832233 ARP, Request who-has 10.10.12.102 tell 10.10.12.1, length 46
11:56:35.896216 ARP, Request who-has 10.10.12.100 tell 10.10.12.1, length 46
11:56:35.896226 ARP, Request who-has 10.10.12.201 tell 10.10.12.1, length 46
11:56:36.339999 ARP, Request who-has 10.10.12.48 tell 10.10.12.1, length 46
11:56:36.877575 ARP, Request who-has 10.10.12.102 tell 10.10.12.1, length 46

Freyja

As an addition, I think there were some misunderstanding somewhere.
I'm not using any VIP, I'm using only interface IP and I do not see anywhere how to configure ARP

johnpoz

@freyja said in First configuration : NAT:

I'm not using any VIP

Then why in the world would you think some interface would answer an arp request, when it doesn't have that IP on it..

If you want pfsense to answer arp for an IP that is not assigned to the interface - it needs a vip, if you want it to answer arp for every IP in a cidr then setup a proxy arp vip.

https://docs.netgate.com/pfsense/en/latest/firewall/virtual-ip-addresses.html#proxy-arp

Where you could have an ISSUE - which I thought I went over with already. Is if you have pfsense arp for any IP in /X - if you have some device on the network with an IP. Which arp is your client looking for IP abc going to see first - the actual client, or pfsense vip?

Freyja

@johnpoz oh ok.

I thought NAT 1:1 would have been enough.

So let me rephrase.
If I setup a NAT 1:1 for an IP like this :

• external (DMZ): 10.10.12.246
• internal (LAN): 10.10.10.246

I have also to setup a VIP (10.10.12.246) in DMZ for the firewall?

Am I right there?

johnpoz

No if pfsense dmz interface IP is 10.10.12.246 it would answer arp for its own address.. You need a vip when you want pfsense to answer arps for IPs that are not assigned to its own interface in that L2.

if you want pfsense to answer arp for 10.10.12.242 for example - then you would need a vip for that IP.

Freyja

@johnpoz No, the firewall is on 10.10.12.254.
I get it now, completely missed that part for proxy-arp as cisco pix do it natively, I thought setting up the NAT would be enough.
And I do understand the concern now as it's not possible to setup a range for VIP.
I will make some test.

Thanks for the answer.

Freyja

@johnpoz ok it works now that I added VIP for all the IP I need.
Thanks for helping.

johnpoz

Your welcome - still no point in doing this. It provides nothing but complexity, not any added security.

Freyja

@johnpoz let's agree to disagree

KOM

@freyja You consistently refuse to say what you're doing despite being asked several times. You told me that there were "plenty of reasons" to do what you're doing, and when I asked you to name even one (because neither John nor I could think of even one case that makes sense), you ducked yet again. At this point I'm going to stop asking and just assume it's something illegal.

Freyja

@kom you're kidding right?

I said from the beginning that I wanted to replicate the configuration I had with my pix as the netgate act a replacement.

All my configuration is based on that and despite the fact you disagree, I want to mask my internal network for things such honeypot for example.

It's not because you do not understand the usefulness of what I want it's illegal.

And such a supposition is quite surprising.

I said what I wanted to do, you just don't listen.

1- reproduce what I had before just not to have to reconfigure everything
2- mask my internal network because I don't want people to be aware of it.

But still you're pushing over and over because it sounds overcomplicated for you but at the very end it's my problem if it's overcomplicated, right?

I've never seen such aggressive people about simple tech questions, really I don't understand what you are trying to do there.

I've started eluding your queries because I had answered them and didn't want to go in an argument fight and having to justify my setup.

You make me feel I want to pack back my netgate and return it.

I've worked with Cisco, Nokia, McAfee, checkpoint firewall and never seen such agresisvity from a tech community.

I'm starting feeling your are acting like that because you've seen I'm a girl and think I don't know what I'm doing.
Don't make me think it's just a misogynistic behavior.

That's said, I'm not doing anything illegal, i just wanted to reproduce my Pix configuration to simplify my life and don't have to reconfigure every service I'm using and that's all.

Regards.

KOM

@freyja

I said from the beginning that I wanted to replicate the configuration I had with my pix as the netgate act a replacement.

That isn't an explanation for the reasoning behind the method. I understood you wanted to make it the same as what you had before. That's not hard to understand. The question was 'why do you want it that way?' What problem does this solve? That's all.

All my configuration is based on that and despite the fact you disagree, I want to mask my internal network for things such honeypot for example.

I don't necessarily disagree when I don't know all the details. That's why I was asking. You said earlier that you wanted to mask your network but I didn't understand the context nor did John. Usually a DMZ is completely isolated from LAN which is its entire point, and any required access is strictly controlled via rules. It's unusual to have a DMZ that needs to talk to LAN so much.

It's not because you do not understand the usefulness of what I want it's illegal.

I'll definitely admit that I don't see the usefulness of what you're doing.

And such a supposition is quite surprising.
I said what I wanted to do, you just don't listen.

No, you said things like 'mask my network' and 'several reasons' but you never actually gave any specifics. Two of us were confused so you weren't as clear as you think.

1- reproduce what I had before just not to have to reconfigure everything
2- mask my internal network because I don't want people to be aware of it.

Got it. I don't know how that would help you though. Yes, I understand that you are going to keep it this way and I have no problem with that. I'm just curious. How would people who interact with your DMZ be aware of what's on your LAN? Someone who cracks one of your DMZ servers will see what it's talking to and try to exploit that regardless of its DMZ vs LAN IP address.

But still you're pushing over and over because it sounds overcomplicated for you but at the very end it's my problem if it's overcomplicated, right?

It doesn't sound overcomplicated. It sounded like it didn't make any sense. I was asking for details because I thought I was missing something.

I've never seen such aggressive people about simple tech questions, really I don't understand what you are trying to do there.

Every single day here, new users decide to do something using an incorrect or sub-optimal method and then they ask specific questions in order to reach their bad end instead of asking for the best way to do something using pfSense. I thought that is what you were doing so I asked questions trying to determine what problem you needed to solve.

I've started eluding your queries because I had answered them and didn't want to go in an argument fight and having to justify my setup.
You make me feel I want to pack back my netgate and return it.

This has nothing to do with Netgate.

I've worked with Cisco, Nokia, McAfee, checkpoint firewall and never seen such agresisvity from a tech community.
I'm starting feeling your are acting like that because you've seen I'm a girl and think I don't know what I'm doing.
Don't make me think it's just a misogynistic behavior.

How would I know you're a woman, and why would that matter?? My entire knowledge of you is from this one thread.

That's said, I'm not doing anything illegal, i just wanted to reproduce my Pix configuration to simplify my life and don't have to reconfigure every service I'm using and that's all.

Understood. Thank you for making it clearer for me. I think this has been one big misunderstanding and I will not trouble you again.