• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

NAT within LAN issue

Scheduled Pinned Locked Moved General pfSense Questions
nat
6 Posts 2 Posters 984 Views 2 Watching
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S Offline
    sh1212
    last edited by Jul 26, 2021, 9:12 AM

    I'm having an issue that I can't seem to get resolved resulting in SSH timeouts.

    I have a rule in DNS Resolver that converts all *.local.domain.name to a virtual IP 192.163.1.253. HAProxy is used to direct to correct internal server for ports 443 and 80 based on subdomain. This is all working perfectly.

    One of my servers on LAN I'm wanting to run a git server with SSH access. I've setup a NAT rule on LAN that redirects virtual IP:22 to (git server IP):(git ssh port). I even have a firewall rule for PASS IP any, Port any to git server IP:git ssh port to log traffic.

    If I

    ssh git-server-ip -p git-server-port
    

    it attempts to connect (but oddly I see nothing logged by the firewall rule)

    If I

    ssh internal-domain-for-virtual-ip
    

    then it just says connection timed out, but in the firewall log I can see traffic from my local host to the expected ip/port.

    Where am I going wrong? Is there a better way to be doing this that with a NAT rule?

    J 1 Reply Last reply Jul 26, 2021, 11:50 AM Reply Quote 0
    • J Online
      johnpoz LAYER 8 Global Moderator @sh1212
      last edited by Jul 26, 2021, 11:50 AM

      @sh1212 said in NAT within LAN issue:

      ssh git-server-ip -p git-server-port
      it attempts to connect (but oddly I see nothing logged by the firewall rule)

      Why would you think that would hit pfsense.. Traffic on the same lan doesn't talk to pfsense.

      Is there a better way to be doing this that with a NAT rule?

      Why are you trying to use nat reflection internally? Just hit whatever you want to hit by its actual IP set your local dns resolving the actual IP.

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 25.07 | Lab VMs 2.8, 25.07

      S 1 Reply Last reply Jul 26, 2021, 3:45 PM Reply Quote 0
      • S Offline
        sh1212 @johnpoz
        last edited by Jul 26, 2021, 3:45 PM

        Why are you trying to use nat reflection internally? Just hit whatever you want to hit by its actual IP set your local dns resolving the actual IP.

        I have a variety of sites that are publicly accessible via mydomain.com. These work by NAT from WAN to virtual IP which is then redirected by HAProxy. All these work off the same LetsEncrypt certificate. As I own this domain and its cert was being verified by LetsEncrypt it was trivial to have valid HTTPS within my own internal LAN using *.local.mydomain.com (no need to trust self-signed certs, CA, etc. It just works). Only issue is the lack of SSH using the same domain name.

        Since the traffic via virtual IP was getting logged by firewall it seemed odd to me that the other traffic wasn't but that makes perfect sense as to why it wouldn't be, thank you.

        J 1 Reply Last reply Jul 26, 2021, 3:51 PM Reply Quote 0
        • J Online
          johnpoz LAYER 8 Global Moderator @sh1212
          last edited by johnpoz Jul 26, 2021, 4:01 PM Jul 26, 2021, 3:51 PM

          I have never tried bouncing ssh off haproxy.. But you should be able to do it - quick google finds this

          https://www.haproxy.com/blog/route-ssh-connections-with-haproxy/

          But looks like you need to use the "All solutions rely on the ssh command’s ProxyCommand field"

          Prob be just easier to when you want to ssh to the box, use the local IP or just a different fqdn for ssh that points to the local IP. Since there little need for any acme cert to be leveraged with ssh connection.

          hostname.differentlocaldomain.tld maybe something like hostname.ssh.lan

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 25.07 | Lab VMs 2.8, 25.07

          S 1 Reply Last reply Jul 26, 2021, 4:56 PM Reply Quote 0
          • S Offline
            sh1212 @johnpoz
            last edited by Jul 26, 2021, 4:56 PM

            Man do I feel dumb. I had already tried using HAProxy to but was using ACL's to choose the correct backend. I changed it to just using a default backend and now it is working as expected.

            One issue that I can't get to resolve correctly is that I can't use any ACLs based on subdomain with TCP mode. This simply means that it is currently setup so that any requests to *.internal.mydomain.com:22 get routed to the git server. This isn't a huge issue for me since this is for internal use only and I don't have any other cases where this is needed (normally I'd just SSH via hostname).

            Thanks @johnpoz for pointing me in a direction to find a solution that works for me.

            For future reference to any that need to do this:

            Frontend: git_ssh_fe
            Listens on virtual IP, port 22
            Type: tcp
            ACL/Actions - none
            Default backend: git_ssh_be

            Backend: git_ssh_be
            Server list points to ip:port of internal git server

            J 1 Reply Last reply Jul 26, 2021, 5:02 PM Reply Quote 0
            • J Online
              johnpoz LAYER 8 Global Moderator @sh1212
              last edited by Jul 26, 2021, 5:02 PM

              My understanding from the breeze over I did of that article linked to - is you could send it to different servers based on name - but you need to use the proxycommand from your ssh client.. Which seems like more work then just using a different local domain or IP ;) and not bouncing off the proxy.

              That could come in handy if all your clients that wanted to talk to different ssh servers were outside your network vs doing a reflection connection from the local netework.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 25.07 | Lab VMs 2.8, 25.07

              1 Reply Last reply Reply Quote 0
              6 out of 6
              • First post
                6/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received