NAT segmentation



  • Hello forum,

    I have a strange but, I think, do-able NAT question.  I have a webserver that I have on a DMZ. The public can access this webserver.

    Here is the deal, I want to trick the webserver into only seeing a single IP address (like the DMZ nic address) whenever someone browses the webserver. In theory it sounds very do-able and I think I can make it work, but I have been unsuccessful with pfsense.

    So the effect will be no matter who browses the webserver from any address the webserver will only see an internal IP browsing it, therefore only one IP will be logged in the access logs.

    For the security minded: I know this is terrible security. This is for a proof on concept.

    -Tom



  • You didn't say what you've tried, so forgive me if this is already known not to work (I don't know why it wouldn't).  Enable AON.  You will get the default "NAT if going out the WAN rule".  Add another rule that looks just the same, but NATs if going out the DMZ interface.



  • Well we haven't tried on pfsense. We tried with a linksys NAT device to see if we could segment and it did, however, the webserver still sees public IPs.

    We will try pfsense here soon and let you know what we were able to come up with. Thank you for your help.



  • danswartz's suggestion should work.  If you do outbound NAT on your DMZ interface, the server will only see the DMZ interface's address as the source.  Your outbound NAT rule should use your DMZ interface, any for source, and you could use any for destination if you want NAT on all traffic to that network.



  • Well I could not get it working with a single pfsense box. I was able to add a second pfsense box to accomplish what I was trying to do.

    What I have right now is:

    –------------
    Public Internet
            |
              pfsense / 192.168.1.0/24
                          |
                            pfsense / 192.168.3.0/24  ----- Webserver / 192.168.3.X

    On the webserver I wrote a simple php IP address query. When browsing the webserver from the public Internet the returned IP is the IP from the boarder pfsense box (192.168.1.X)

    So if it is possible to do this with a single pfsense box via AoN then I was not able to get that working.



  • hmm. I spoke to soon. The above layout does not work, with default settings.

    Attached is my AON outbound rule. What do you see is wrong?




  • Add another outbound nat rule that has interface set to DMZ, source address and port set to any, destination address set to the ip address of the webserver on the DMZ and destination port set to 80.


Locked