NAT and traffic forwarding
-
I have an OOB management network with several devices in it who's logs I want to forward to a log collector via UDP. The log collector sits in the production network so it can upload the logs to our SIEM. The management network does not have internet access.
I'd like to setup a pfSense VM and multihome it on the management and production network. I'd like to configure a management network IPs on pfSense for each of the devices who's logs I want to collect, do a 1:1 NAT to production network IPs on the pfSense, and have pfSense send any traffic received on management IP out the production IP to the log collector.
The tricky part (at least for me), is the management network devices only know the pfSense IP they're sending to, and pfSense needs a rule that "Any traffic on <management IP> forwards to <data collector IP>".
I'm hoping someone can point me in the right direction.
-
@zoltan Many missing details. Why can't the mgmt devices send directly to the log server on prod? Is there a common upstream router for both networks or do they have their own? If you do create a pfSense instance to route between mgmt and prod, why all the funny nat stuff? Does the log server only respond to traffic from its own network?
-
@kom There's no gateway between the management and production networks.
There is no upstream router for the management network. It's on it's own hardware.
Why all the funny stuff? Because I only want traffic to flow from the devices in the management network to the log server in the prod network. I don't want traffic to be able to go anywhere else.
-
@zoltan I see. That is much clearer. You're trying to have it so that you don't need to make major network changes on all devices I assume? Could you not just setup pfSense so that it's WAN is on mgmt and LAN on prod, then create one simple port-forward from pfSense WAN to the log server? Or you could do it the other way around, where pfSense LAN is on mgmt and WAN on prod, and then use firewall rules to control access from mgmt to prod so that they can only talk to the log server.
-
@kom Exactly.
Apologies, but I grew up working with Cisco PIX and now ASA firewalls and know how to do what I want on those, so I'm still having to do a lot of translation in my head between them and pfSense.
On the ASA you can set security levels and traffic can always flow from a higher security level to a lower one. Does pfSense have security levels for the various interfaces?
-
@zoltan Nope.