Access Server On LAN1 From LAN2 With VIP
-
Hello,
I have two LAN interfaces with a server on LAN1 and clients on LAN2 that I want to give access to that LAN1 server. With a firewall rule on LAN2, I can access the server on LAN1 from LAN2 using the Server's LAN1 IP address.
I'm not sure why I want to do this other than an attempt for higher security, but I would like to mask LAN1 IP address and be able to access the server using a LAN2 subnet IP address.
I tried to do this by creating an IP Alias on the LAN2 interface and then creating a 1:1 NAT mapping on the LAN2 interface with the LAN2 virtual IP as the external and the LAN1 server IP as the internal. I already had the firewall rule on LAN2 allowing access to LAN1's server IP assuming the NAT translation happens before checking the firewall, but no-go. LAN1 has the all-access rule in place, but I'm not sure that matters as all of this traffic would originate from LAN2.
Just by creating the virtual IP, I can ping that address, but am gathering that the server on LAN1 is not the responding node. At least, that's how it looks to me.
What am I doing wrong? Can/should I even do this?
Thanks!
-
@urbnsr said in Access Server On LAN1 From LAN2 With VIP:
Can/should I even do this?
Other than complexity - what do you think this gets you? So you want to hide a rfc1918 address, from your own clients? Are there devices that come onto this lan that are not under your control?
Seems like to me you could allow the traffic you want with simple firewall rule - far less likely to mess something up, and sure and the hell more secure than allow a 1:1
The only reason I could see for doing such a thing with a vip on the source network would be that clients you want to be able to get to devices in the destination network don't have a gateway set, or they point to a different default gateway, etc..
-
@johnpoz Thanks for the comments.
The LAN2 clients are under less control - not really public, but unmanaged clients that could be switched out and I would like an added layer without fully revealing the asset. I could stop access to all immediately, but still...
-
What do you think knowing the rfc1918 IP address of the thing they need/want to access that you are allowing them to access provides them in something that would lower your security. I don't see the concern..
They know its local because the response time.. What does it being 192.168.2.1 vs 192.168.100.42 give them??
You are for sure making your setup more complex, your more likely to make mistakes when complex.. Seems pointless added work for no benefit other than some believe that them having the wrong IP for the resource your allowing them to access somehow makes it more secure??
So what if they know the IP - the firewall only allows them to access port X, etc. Be it they know the actual IP or some false IP your still allowing them to access X..
You do you - but I personally would never do such a thing, I could see maybe not allowing some not so trusted network/vlan being able to resolve all my resources via dns or something.. But if I want to allow IP X to access resource Y on my network, I sure wouldn't see a point to hiding the rfc1918 IP behind some other rfc1918 address.
You know what they say about security through obscurity ;) Its not security!
-
Thanks for the input. I guess I wanted to throw out an extra hurtle for "just in case" before going forward with the allowed access. If I went ahead with the true IP and later found it to be better to have obscured the address, I would need to reconfigure or explain the reconfigure to allowed clients.
Thanks. I will go ahead with actual address.
-
@urbnsr if your worried about the actual address, maybe a reverse proxy.. This way atleast they are not actually talking to the device, the proxy is, so you have the actual security of not having direct access, only the proxy does.. Which can filter out some bad urls and such that could be used to exploit the service, and you are also hiding the actual destination IP as well.
So you get some actual security of the reverse proxy, while also obscuring your actual IP ;) It does add complexity - but at least your actually adding a security measure that could prevent some sort of exploit with the stuff the proxy would allow through or not, etc.
-
@johnpoz Thank you very much!
-
@urbnsr And no real reason for a vip with a reverse proxy, just have it listen on the IP of pfsense on that vlan on port X, and backend is your destination be that the same port X or a different port, etc.
