Intervlan ping problem with nat
-
Hello,
I've a technical problem,I've two VLAN (A and B for example). My computer on the VLAN A try to ping my computer on the VLAN B, though the public ip. This last is Nat directly in the firewall.
On the firewall WAN interface rules, i allow anybody to ping my servers. So, it should work but it's not.
I've done network analysis, and i saw my server on network A don't use it's public ip for ping, so the WAN rules is not used. But he used it's private IP (because i think, the firewall have the public IP and the privates ip's, so the flux don't go outside and stay on the firewall ). And it's not working because i refuse all intervlan communication.
How can i force my server on the VLAN A (or other VLAN) to use public ip when i try to ping a public ip on the firewall. For information i have actived :- Automatic creation of additional NAT redirect rules from within the internal networks.
- Automatic create outbound NAT rules that direct traffic back out to the same subnet it originated from.
The version of the pfsense is : 2.5.2
Thank's in advance for the help
Best regard's -
@yguerchet
Hello,
are you talking about IPv6 or do you have portforwarding vor IPv4 ICMP active?Why would you want to NOT allow intervlan traffic for ICMP but instead send your traffic all the way outside, have a portforwarding hole your NAT, it seems without further explanation a bit laborous...
Or maybe I just dont get it right (no native english speaker, sorry).
-
@the-other I talking about ipv4. I ping public IPV4. I don't use/have IPv6 on my network.
Yes I agree with you and I would use this technique if I can't. But I've already managed to do it and I don't know how. -
@yguerchet Normally you don't NAT between VLANs, whatever you are doing, you have to describe much more in detail, maybe have some pictures.
-
@bob-dig Hello, yes of course i can give you a schema (with fake IP beacause it's confidential)
- The communication between VLAN1 and VLAN2 it's refuse.
- The communication from outside from anyport and ip to 208.123.73.70 to port 80 and 443 it's allowed
I try to ping toto.fr (208.123.73.70) from Virtual Machine 1. But it's not work, because my Virtual Machine 1 don't use the WAN address of pfsense (208.123.73.69) but use the routage inter vlan. So it's not work because the communication intervlan is refuse.
I try, to when a virtual machine in my network try to access to a public IP hosted by pfsense. This virtual machine (in my situation the virtual machine1) use the public IP 208.123.73.69 (or somethinfg else, depending outbound nat).
In the outbound NAT i use Automatic rules, so the network 192.168.2.0/24 use the public ip 208.123.73.69I hope the explication is clearer
-
@yguerchet if your trying to bounce off your wan IP to get redirected into some other machine on your lan side networks. You would need to setup nat reflection.
Or just resolve whatever fqdn you want to use to access vm2 to its local 192.168.1.2 address.
-
@johnpoz Hello thank's for you reply
The NAT reflection is enabled :
The second solution you suggest won't work, because that's what's happening right now. When I look at the logs, when my machine pings toto.fr in the network flow is 192.168.2.2 -> 192.168.1.2.
And i need it's 208.123.73.69 (outbound NAT of 192.168.2.2) -> 208.123.73.70 (inbound NAT of 192.168.1.2) -
@yguerchet said in Intervlan ping problem with nat:
ings toto.fr in the network flow is 192.168.2.2 -> 192.168.1.2.
Well if its resolving to your local IP then nat reflection would not work no, be it you have enabled or not.
And i need it's 208.123.73.69 (outbound NAT of 192.168.2.2) -> 208.123.73.70 (inbound NAT of 192.168.1.2)
So you want when when vm1 goes to toto.fr its hits your wan IP .69, and look like it coming from .70?
For what possible reason - that makes ZERO sense to do that.. What does that get you? Why would you want to do such a thing.. When you could just directly access 1.2 or 2.2 from the other box also on your lan side networks.. Just at a loss to why anyone would want to do such a thing.
-
@johnpoz said in Intervlan ping problem with nat:
Well if its resolving to your local IP then nat reflection would not work no, be it you have enabled or not.
I did not set up a local resolution for toto.fr, the reflection does not work when it is activated.
@johnpoz said in Intervlan ping problem with nat:
So you want when when vm1 goes to toto.fr its hits your wan IP .69, and look like it coming from .70?
It's the opposite but yes
@johnpoz said in Intervlan ping problem with nat:
For what possible reason - that makes ZERO sense to do that.. What does that get you? Why would you want to do such a thing.. When you could just directly access 1.2 or 2.2 from the other box also on your lan side networks.. Just at a loss to why anyone would want to do such a thing.
I need to do this, because intervlan communication doesn't have to take place for security reasons. And it's easier to do it that way I think. But if this is not possible, I would modify my firewall rules.
-
@yguerchet said in Intervlan ping problem with nat:
because intervlan communication doesn't have to take place for security reasons
But you are allowing it, just via some round about way.. I really don't think you could do what your asking. Especially when .69 and .70 reside on the same actual interface.. If they were different interfaces then you could maybe make it happen.. But if .69 and .70 are on the same physical interface - no I don't think you can do it.
Just open a pin hole firewall rule so that 1.2 can talk to 2.2 on or vise versa on the port(s) you want to access.
This is done all the time when something in a dmz segment for example needs to say pull data from a db server or something that does not reside in the dmz segment.
Look at it this way as well, if you have some device in your dmz.. And it is open to the public.. Why would you not allow your lan to talk to it directly through the firewall local network interfaces? Doing some odd ball routing out and then back in sure doesn't change any security.. But it sure makes it a cluster.. And such a cluster sure makes for more likely for some security issue to be overlooked. Nothing saying that you have to open all traffic to and from these segments. Just the traffic that is required for you to do what your trying to do.
-
@johnpoz Hello, thank's for you response, i didn't know i can't do that if the wan adress it's on the same interface. For information .70 it's virtual IP on .69, so it is on the same interface.
I've just one quesion, what is the goal of NAT reflection ? It only work if the wan adresses is not on the same interface ?Thank's you for you advise, have a good day.
-
@yguerchet said in Intervlan ping problem with nat:
what is the goal of NAT reflection
Nat reflection can be done on a vip. But I don't think you could make it work going to public.70 and making it look like it came from public.69
But you should be able to hit public.70 directly and be reflected. Or .69 and be reflected - you just have to set it up. And again - if your fqdn doesn't actually resolve to the .69 or .70 then how could it be reflected, you stated you are resolving to the local IP.
hen my machine pings toto.fr in the network flow is 192.168.2.2 -> 192.168.1.2.
-
@johnpoz said in Intervlan ping problem with nat:
But you should be able to hit public.70 directly and be reflected. Or .69 and be reflected - you just have to set it up. And again - if your fqdn doesn't actually resolve to the .69 or .70 then how could it be reflected, you stated you are resolving to the local IP.
No, i don't resolving with the local IP, when i write : ping toto.fr, i see in the console
PING toto.fr (208.123.73.70) 56(84) bytes of data.So the ip is correctlry resolved but i don't understand why, when i look the network flow with tcpdump or firewall logs, i see a ping through private ip. And i don't understand why
-
@yguerchet said in Intervlan ping problem with nat:
i see a ping through private ip. And i don't understand why
That sure and the hell isn't happening.. There is no freaking way you resolved some fqdn domain from your ping command to a public IP and it sent it to a rfc1918 address.
Please provide your sniff of you doing your ping from your client..
Sorry it just doesn't work that way - it doesn't If you resolved some fqdn to IP address 1.2.3.4 the machine would send traffic to 1.2.3.4, not 5.6.7.8
Maybe you were looking at the reflection, if your not doing NAT+Proxy mode..
-
@johnpoz I can give you screenshoot from multiple tcpdump on different interfaces as soon as possible :)
Thank's for your help -
@yguerchet read my edit - sorry its just not possible... So yeah love to see this sniff of the traffic from the client sending the ping.. What you say is just not possible.
What your prob seeing is the reflection if you sniff on the server your trying to ping, then yeah its going to show the source IP, if your not doing nat+proxy...
Again your doing this the HARD freaking way!! Why? For some misguided undestanding of security concepts.. Your allowing the traffic!! Reflecting it is no more secure then just directly allowing what you want in the first place. If you want A to talk to B, then allow A to talk to B on port X, etc.. Reflecting it sure and the hell doesn't make it any more secure..
-
@johnpoz Ok thank's for you response i understand better :).
When I have time I will do some tests to better understand.
But to summarize our exchange, the simplest and most common is to authorize intervlan communication on the desired ports -
@yguerchet said in Intervlan ping problem with nat:
he simplest and most common is to authorize intervlan communication on the desired ports
Yes... It can be as restrictive as you want... Only this IP talking to that IP on this port, etc. etc. Min required for what your wanting to do..
I for example let my roku's on their vlan talk to plex server on its vlan on port 32400.. Because its a requirement to use my plex, sure not going to relay it or bounce it off my own wan, etc. But the roku stuff can not talk to anything else on my other vlans, etc. Just the plex IP on port 32400.
-
Hi @yguerchet As @johnpoz pointed out, this don't work that way.
Considering you have NAT 1:1 of the DNS A record (I assume that is your target resolution for the DNS query), all you have to do is to "Enable DNS forward" option and configure as shown below;
Host Overrides
Save, Apply and TRY to PING toto.fr from ANY local IP address.
- Make sure your LAN or OPT interfaces allow DNS port 53 "Destination" This firewall (self) between them.