NAT with a subnet routed through another IP…



  • Hi!

    I am soon (should be tomorrow) switching ISP and I have decided to get myself a /29 subnet.

    There is a "twist" in how my ISP does that however, all the traffic for the subnet is routed through another static IP which is not in that subnet.

    Single static IP: x.y.a.178
    /29: x.y.z.200 / 255.255.255.248

    I am told that the way they implemented it I could cheat and have 8 usable IPs (instead of the normal 6 where the first IP is used for the network and the last for broadcast) but I do not wish to do it that way both because that's not the usual normal way to do it and if they ever changed how they implemented the routing of their subnets I would end up with a broken config.

    The problem is I am not quite getting how I am supposed to set thing up. The ethernet interface on the WAN side will have my single static IP I guess so how do I make it accept the other IP and have them forwarded to the appropriate IPs on my LAN and on my DMZ?

    How do I make also sure that the traffic from all the IPs I haven't mapped to an (outside) IP in my subnet to appear to come from one single IP in my subnet?

    I have been playing with port forwarding a single static IP to different IP on my LAN and DMZ with my previous firewall/router (Linux distribution with Shorewall) without too many problems in the past but adding that subnet and switching to a new firewall/router has complexified the situation somewhat…

    Thank you very much for your help!

    Nick



  • There are two ways to go at this:

    1: You "cheat".
    Basically you create Virtual IPs on the pfSense itself and then forward traffic from these VIPs to the servers behind the pfSense.
    The servers have private IPs.
    Like this you could "cheat" and use all the 8 IPs. I dont really see a problem with this with infrastructure changes in your ISP.

    2: You route.
    You add a new interface to the pfSense.
    Here you have the subnet x.y.z.200/29
    The subnet ID is x.y.z.200
    The usable IPs are x.y.z.201 - 206
    The broadcast IP is x.y.z.207
    You assign one of the usable IPs to the pfSense and use the rest of them on your servers.
    –> Your servers have public IPs.
    The gateway of your servers is the IP out of the same subnet which you assigned the pfSense.
    Essentially you can use only 5 of these IPs and not 6 since the pfSense uses one up to route.

    For solution 1 you just create the VIPs ( i think you will have to use PARP here) and use these VIPs in your portforwards / 1:1 forwards.

    For solution 2 you need to enable advanced outbound NAT and make sure you dont have an NATing rule for your interface with the public IPs.
    Then create firewall rules that allow access from the WAN to your public subnet.
    It seems you dont need to enable AoN after all since the automatic NAT seems to not NAT public subnets:
    –> http://forum.pfsense.org/index.php/topic,18043.0.html

    IMO i would go with solution 1 unless you really need directly public IPs on your servers.



  • Hi GruensFroeschli!

    @GruensFroeschli:

    1: You "cheat".
    Basically you create Virtual IPs on the pfSense itself and then forward traffic from these VIPs to the servers behind the pfSense.
    The servers have private IPs.
    Like this you could "cheat" and use all the 8 IPs. I dont really see a problem with this with infrastructure changes in your ISP.

    What I want to achieve is essentially similar to the end result of that. I want to map the IPs of my subnet to PCs in my DMZ and LAN. Both the DMZ and LAN have IP addresses in private IP space…

    @GruensFroeschli:

    2: You route.
    You add a new interface to the pfSense.
    Here you have the subnet x.y.z.200/29
    The subnet ID is x.y.z.200
    The usable IPs are x.y.z.201 - 206
    The broadcast IP is x.y.z.207
    You assign one of the usable IPs to the pfSense and use the rest of them on your servers.
    –> Your servers have public IPs.
    The gateway of your servers is the IP out of the same subnet which you assigned the pfSense.
    Essentially you can use only 5 of these IPs and not 6 since the pfSense uses one up to route.

    I want to make sure I understand what you are suggesting…

    It sounds like you are suggesting that for my DMZ I use the IP addresses of my subnet instead of private IP space, am I right?

    @GruensFroeschli:

    For solution 1 you just create the VIPs ( i think you will have to use PARP here) and use these VIPs in your portforwards / 1:1 forwards.

    I have tried this and I am somewhat puzzled…

    If I use port forwards (essentially what I used to do in the past with my single IP and previous firewall), I have control over which ports are forwarded and the rest are essentially firewalled (not accessible from the outside). I can also use aliases to make the job of maintaining these rules easier...

    If I use 1:1 NAT, it looks like I can't firewall any port (I must either put a firewall on the pc itself or stop the daemons/services that I don't need) and I can't use aliases...

    I guess if I use 1:1 NAT the outbound rule is probably done at the same time (if I forward a.b.c.d to 172.16.1.20 when 172.16.1.20 wants to contact the Internet the traffic probably seems to come from a.b.c.d) but I can't say I like what seems to be the all ports or nothing approach of 1:1 NAT...

    @GruensFroeschli:

    IMO i would go with solution 1 unless you really need directly public IPs on your servers.

    While searching on the web I found what seems to be in-between solution.. It looks like some people assign an IP address to both the modem and the firewall in the subnet (yes, this does use up more IP addresses) and let the modem handle the PPPOE connection but disable its firewall and NATing features… This seem interesting since it should probably let me easily access the web interface of the modem without problems and seems to mimick more closely the kind of setup I am used to at work..

    Thank you very much for your help!

    Nick



  • It sounds like you are suggesting that for my DMZ I use the IP addresses of my subnet instead of private IP space, am I right?

    Yes.

    I have tried this and I am somewhat puzzled…

    If I use port forwards (essentially what I used to do in the past with my single IP and previous firewall), I have control over which ports are forwarded and the rest are essentially firewalled (not accessible from the outside). I can also use aliases to make the job of maintaining these rules easier...

    You have to maintain 2 sets of rules.
    The NAT rules and the firewall rules.
    With the NAT rules you have fine control over which ports are forwarded to what.
    But just the NAT rules are not enough. You need to create firewall rules for each NAT rules as well to allow the traffic.
    When you create a new NAT rule there is a checkbox at the bottom "autocreate firewall rule", which is per default active.

    If I use 1:1 NAT, it looks like I can't firewall any port (I must either put a firewall on the pc itself or stop the daemons/services that I don't need) and I can't use aliases…

    If you use 1:1 NAT this means the same as if you'd create an normal portforward: "forward anything from 0 to 65535 to server X".
    This doesnt mean that nothing is firewalled.
    You still have to create firewall rules for this 1:1 NAT.
    If you dont create a firewall rule allowing traffic, no traffic will flow.
    You dont need aliases for the port forward here.
    But you can still use aliases for the firewall rules.

    I guess if I use 1:1 NAT the outbound rule is probably done at the same time (if I forward a.b.c.d to 172.16.1.20 when 172.16.1.20 wants to contact the Internet the traffic probably seems to come from a.b.c.d) but I can't say I like what seems to be the all ports or nothing approach of 1:1 NAT…

    Yes if you 1:1 automatically an outbound NAT rule will be created.
    I personally dont use 1:1 since it seems to me kind of a "waste of ports".
    "all or nothing" is the concept of 1:1 NAT.
    You dont have to use it ;)

    If you use normal portforwards, you still might want that outbound traffic from certain servers, leave via different VIPs.
    If you're not using 1:1 NAT, you have to create the outbound rules manually.
    Active under "outbound" the "manual outbound" rules.
    Below you then can define rules what will be NATed how.
    The rule order here is important. (Top to down)



  • Hi GruensFroeschli!

    @GruensFroeschli:

    It sounds like you are suggesting that for my DMZ I use the IP addresses of my subnet instead of private IP space, am I right?

    Yes.

    Thank you!

    @GruensFroeschli:

    You have to maintain 2 sets of rules.
    The NAT rules and the firewall rules.
    With the NAT rules you have fine control over which ports are forwarded to what.
    But just the NAT rules are not enough. You need to create firewall rules for each NAT rules as well to allow the traffic.

    O.k.

    @GruensFroeschli:

    When you create a new NAT rule there is a checkbox at the bottom "autocreate firewall rule", which is per default active.

    Only for the port forward rules it would seem… For 1:1 NAT since no port is specified it can't derive a firewall rule from the NAT rule and you have to do it manually...

    @GruensFroeschli:

    If you use 1:1 NAT this means the same as if you'd create an normal portforward: "forward anything from 0 to 65535 to server X".
    This doesnt mean that nothing is firewalled.
    You still have to create firewall rules for this 1:1 NAT.
    If you dont create a firewall rule allowing traffic, no traffic will flow.

    O.k. section 6.5 of the m0n0wall handbook we are referred to suggested otherwise (first paragraph…)...

    @GruensFroeschli:

    You dont need aliases for the port forward here.
    But you can still use aliases for the firewall rules.

    It would have been nice to have access to aliases for 1:1 NAT and for outbound NAT too, it would make maintaining the rules a lot simpler…

    @GruensFroeschli:

    Yes if you 1:1 automatically an outbound NAT rule will be created.
    I personally dont use 1:1 since it seems to me kind of a "waste of ports".
    "all or nothing" is the concept of 1:1 NAT.
    You dont have to use it ;)

    As long as it doesn't open all ports it's not that bad…

    @GruensFroeschli:

    If you use normal portforwards, you still might want that outbound traffic from certain servers, leave via different VIPs.

    Yep, that's exactly what I want to do…

    @GruensFroeschli:

    If you're not using 1:1 NAT, you have to create the outbound rules manually.
    Active under "outbound" the "manual outbound" rules.
    Below you then can define rules what will be NATed how.

    I wish I could have use aliases there though… We can use aliases for the inbound stuff (when not using 1:1 NAT) but not for the outbound so aliases are not as useful as they could be...

    @GruensFroeschli:

    The rule order here is important. (Top to down)

    Since we're talking of rule order, I have a question (not directly related to NAT though…).

    Let's say I want all the traffic that comes from my WIFI interface (it's a normal ethernet port though with an access point connected to it) to be able to talk to the Internet but not be able to talk to my LAN or DMZ... Do I have to make a rule to block traffic from that interface from going to the LAN, then block all the traffic from that interface to go to the DMZ and then make another rule to allow everything? Or is there a simpler way to do this?

    Thank you very much for your help, things are beginning to make a lot more sense now!

    Have a nice day!

    Nick



  • @Knight:

    @GruensFroeschli:

    If you use 1:1 NAT this means the same as if you'd create an normal portforward: "forward anything from 0 to 65535 to server X".
    This doesnt mean that nothing is firewalled.
    You still have to create firewall rules for this 1:1 NAT.
    If you dont create a firewall rule allowing traffic, no traffic will flow.

    O.k. section 6.5 of the m0n0wall handbook we are referred to suggested otherwise (first paragraph…)...

    Hummmmm…..  :-
    I dont actually use 1:1.
    The only time i used it, i figured you need a firewall rule or it wont work, so i created a firewall rule and it worked.
    I would have to setup something to test it.
    Or do you have something to test it quick?

    I added a quick dummy 1:1 NAT on my system at home and looked at the output of
    pfctl -sn
    which shows the added entry of
    binat on vr2 inet from 10.0.8.15 to any -> 192.168.0.10
    (I 1:1 NAT from a dummy VIP on my WAN with the IP 192.168.0.10 to a dummy IP on my LAN 10.0.8.15)
    but with
    pfctl -sr
    i didnt get any rules which would allow traffic for the 192.168.0.10/10.0.8.15.
    So i assume it would get blocked.
    But still it's better to verify this first!

    Since we're talking of rule order, I have a question (not directly related to NAT though…).

    Let's say I want all the traffic that comes from my WIFI interface (it's a normal ethernet port though with an access point connected to it) to be able to talk to the Internet but not be able to talk to my LAN or DMZ... Do I have to make a rule to block traffic from that interface from going to the LAN, then block all the traffic from that interface to go to the DMZ and then make another rule to allow everything? Or is there a simpler way to do this?

    Yes you can make a rule blocking traffic: "from WLAN, to LAN" and then a rule "allow everything". This would work.

    The more elegant solution is to make an alias containing all your local subnets, and then create a single "allow all" rule with as destination "!youralias"
    (this means: destination NOT content of your alias).

    Like this you're allow to everywhere except the content of the alias.
    Since there is a "block all" rule invisible below your own rules, everything else will be dropped.



  • Hi GruensFroeschli!

    Things have been so crazy recently that I unfortunately did not have the chance to test it yet, I'll try to do it tonight…

    BTW, thank you very much for the suggestion for the alias that lists multiple subnet!

    Have a nice day!

    Nick



  • Hi GruensFroeschli!

    It looks like that PC has hardware problems (I'm hoping it's the hard drive) and that I'll need to reinstall…

    The web interface stopped responding for no reason and many of my logs seem to contain binary data which I'm pretty sure is probably not normal...

    I'll test 1:1 NAT as soon as everything is back to normal...

    Thank you!

    Nick


Log in to reply