101 how to - route based policy no NAT
i am using pfsense within my vm enviorment to create a dmz in a box. the database server i am trying to protect is placed in the WAN portion of pfsense. with pfsense in nat based mode everything works exactly like my physical network using a juniper ns-25. the only issue i am having is that all of my lan traffic from the 10.0.0.0 subnet is being displayed to the database server with the ip address of 10.0.6.1 which is my wan interface. on my juniper ns25, i had the exact same issue during initial setup and had to change both my interface and my policy to use route instead of nat so that the database server could see the ip address of the client like 10.0.0.122. the database server has to see the ip address of the cleint requesting information.
i have tried turning off nat in the advanced section of the settings, however it seems once this is done pfsense no longer looks at the firewall rules and does not seem to allow any traffic from the lan into the wan. i also played around with the bridging feature and that did not seem to have any impact either.
so how can i set rules like only allow lan to talk to wan using port 23 telnet without applying nat so that the server receiving the telnet connection request can actually see the ip address from the lan client (ex. 10.0.0.122) and not the wan interface ip address (10.0.6.1)?
lan = 10.0.0.0 = interface = 10.0.0.125
wan = 10.0.6.0 interface = 10.0.6.1
10.0.0.1 = physical firewall lan interface
the physical firewall has a route policy to send all traffic for 10.0.6.0 to 10.0.0.125
GruensFroeschli last edited by
Did you uncheck the "block RFC1918 subnets" checkbox on the WAN config page?
those boxes are unchecked. i don't think they affect nat.
question: you said you tried disabling NAT in the advanced settings - the only setting I see is disabling firewalling, which says "also disables NAT", but then rules are not applied. is this correct? if so, have you looked at the outbound NAT rules, where a rule has the checkbox that says not to do NAT on the outbound packets? or am i misunderstanding?
Disabling the filter does what it says - disables filtering and NAT. You want:
i turned the filter back on so it puts the firewall back into firewall mode. this was a last ditch effort that i should not have tried as it clearly states it disables the firewall. i had already tried going to firewall - nat - outbound, setting to manual and deleting all of the auto-created rules. i saved it, and then re-booted the firewall to make sure everything was reset.
after the reboot, from the lan subnet 10.0.0.0 i was able to ping the wan gateway 10.0.6.1 but i was unable to ping the server in the wan subnet. my rules / polices from "lan to wan" as well as "wan to lan" are currently set to allow all source, port and destination traffic through so the rule should not be blocking anything.
i looked at the route table and the route for subnet 10.0.6.0 is set to the gateway "link#2"
any other thoughts would greatly be appreciated. thanks
Post output of 'netstat -rn'.
the other thing i noticed is in the rules, under "default gateway" it says use default or select gateway for a route based rule. so i am embarrased to ask this question, but what should my wan gateway be based on the information below (i assumed my wan gateway is 10.0.0.125):
lan subnet is 10.0.0.0
lan interface = 10.0.0.125
lan gateway = 10.0.0.1
wan interface= 10.0.6.1
wan subnet 10.0.6.0
physical juniper firewall:
lan subnet is 10.0.0.0
lan interface is 10.0.0.1
static route is 10.0.6.0 –> 10.0.0.125 gateway
netstat -rn from windows client in 10.0.0.0 subnet
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.0.1 10.0.0.75 10
10.0.0.0 255.255.255.0 10.0.0.75 10.0.0.75 10
10.0.0.75 255.255.255.255 127.0.0.1 127.0.0.1 10
10.255.255.255 255.255.255.255 10.0.0.75 10.0.0.75 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 10.0.0.75 10.0.0.75 20
184.108.40.206 240.0.0.0 10.0.0.75 10.0.0.75 10
255.255.255.255 255.255.255.255 10.0.0.75 10.0.0.75 1
Default Gateway: 10.0.0.1
no, i wanted 'netstat -rn' from the pfsense, not the LAN client.
Duh, I think I know what the problem is. If you are not NAT'ing, the traffic hitting your webserver will be coming from the 10.0.0.0/24 subnet, and unless you have left out this data point, the web server will not know how to reach that address, since its IP is in the 10.0.6.0/24 subnet. The simplest fix is to have the router for the 10.0.6.0/24 subnet have a static route for 10.0.0.0/24 pointing at 10.0.6.1, then, the first time the web server (or whatever) gets a packet from a 10.0.0.0/24 host, it will send it to the 10.0.6.0/24 gateway, which will forward it to the pfsense WAN IP, and send an ICMP redirect to the server so it knows how to get there from then on.
thanks everyone for your help. turning the filter back on so it puts the firewall back into firewall mode and setting the outbound NAT rules, where a rule has the checkbox that says not to do NAT on the outbound packets fixed it.
i was still having issues, but upon further inspection of linuix log files i found the clients ip address is being passed through the route based firewall and pam is closing all of the sessions. so now this may have been the easy part, pam in linuis does not look so easy.
no addtional route was needed. duh - the firewall is the router between interfaces.