Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT segmentation

    Scheduled Pinned Locked Moved NAT
    7 Posts 4 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tommyboy180
      last edited by

      Hello forum,

      I have a strange but, I think, do-able NAT question.  I have a webserver that I have on a DMZ. The public can access this webserver.

      Here is the deal, I want to trick the webserver into only seeing a single IP address (like the DMZ nic address) whenever someone browses the webserver. In theory it sounds very do-able and I think I can make it work, but I have been unsuccessful with pfsense.

      So the effect will be no matter who browses the webserver from any address the webserver will only see an internal IP browsing it, therefore only one IP will be logged in the access logs.

      For the security minded: I know this is terrible security. This is for a proof on concept.

      -Tom

      -Tom Schaefer
      SuperMicro 1U 2X Intel pro/1000 Dual Core Intel 2.2 Ghz - 2 Gig RAM

      Please support pfBlocker | File Browser | Strikeback

      1 Reply Last reply Reply Quote 0
      • D
        danswartz
        last edited by

        You didn't say what you've tried, so forgive me if this is already known not to work (I don't know why it wouldn't).  Enable AON.  You will get the default "NAT if going out the WAN rule".  Add another rule that looks just the same, but NATs if going out the DMZ interface.

        1 Reply Last reply Reply Quote 0
        • T
          tommyboy180
          last edited by

          Well we haven't tried on pfsense. We tried with a linksys NAT device to see if we could segment and it did, however, the webserver still sees public IPs.

          We will try pfsense here soon and let you know what we were able to come up with. Thank you for your help.

          -Tom Schaefer
          SuperMicro 1U 2X Intel pro/1000 Dual Core Intel 2.2 Ghz - 2 Gig RAM

          Please support pfBlocker | File Browser | Strikeback

          1 Reply Last reply Reply Quote 0
          • E
            Efonnes
            last edited by

            danswartz's suggestion should work.  If you do outbound NAT on your DMZ interface, the server will only see the DMZ interface's address as the source.  Your outbound NAT rule should use your DMZ interface, any for source, and you could use any for destination if you want NAT on all traffic to that network.

            1 Reply Last reply Reply Quote 0
            • T
              tommyboy180
              last edited by

              Well I could not get it working with a single pfsense box. I was able to add a second pfsense box to accomplish what I was trying to do.

              What I have right now is:

              –------------
              Public Internet
                      |
                        pfsense / 192.168.1.0/24
                                    |
                                      pfsense / 192.168.3.0/24  ----- Webserver / 192.168.3.X

              On the webserver I wrote a simple php IP address query. When browsing the webserver from the public Internet the returned IP is the IP from the boarder pfsense box (192.168.1.X)

              So if it is possible to do this with a single pfsense box via AoN then I was not able to get that working.

              -Tom Schaefer
              SuperMicro 1U 2X Intel pro/1000 Dual Core Intel 2.2 Ghz - 2 Gig RAM

              Please support pfBlocker | File Browser | Strikeback

              1 Reply Last reply Reply Quote 0
              • T
                tommyboy180
                last edited by

                hmm. I spoke to soon. The above layout does not work, with default settings.

                Attached is my AON outbound rule. What do you see is wrong?

                AON.jpg
                AON.jpg_thumb

                -Tom Schaefer
                SuperMicro 1U 2X Intel pro/1000 Dual Core Intel 2.2 Ghz - 2 Gig RAM

                Please support pfBlocker | File Browser | Strikeback

                1 Reply Last reply Reply Quote 0
                • K
                  kpa
                  last edited by

                  Add another outbound nat rule that has interface set to DMZ, source address and port set to any, destination address set to the ip address of the webserver on the DMZ and destination port set to 80.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.