a somewhat strange problem with VIP 1:1 NAT reachability



  • I've got a /28 and 3x /24 the latter of which I want to map
    1:1 to private address space (e.g. each /24 to 10.0.x.0/24).

    My pfSense version is 2.1-DEVELOPMENT (i386)
    built on Fri Oct 21 12:51:56 EDT 2011

    I've got a setup where hosts and firewalls look like this

    WAN             LAN
    switch1 - fw1 - switch2
         | - fw2 - |
         | - ho1 - |
         | - … - |

    The hosts have two NICs (for WAN and LAN) and have currently                                                                                                            
    virtual guests bound the WAN interface, thus bypassing the
    firewalls. I now want to renumber the guests to private
    address space, and let the firewall deal with network
    mapping and traffic filtering.

    The lan switch is managed, and is assigned an address
    10.0.0.x via fw1 DHCP.

    I've defined VIPs (type Proxy ARP, matching one public /24)
    and created a Firewall NAT 1:1 mapping as well as firewall                                                                                                              
    rules to pass the relevant traffic. I've disabled the
    WAN switch port (by putting it on an unreachable VLAN)                                                                                                                  
    so that virtual guests bound to the same /24 are out of
    the loop for testing. I have not disabled any                                                                                                                            
    other hosts on the switch.

    Now the strange thing is that I can see the switch IP via
    the external mapped IP (two of them, in fact), but nothing
    else (but the gateway). nmap from within the network sees
    the other IPs fine.

    This makes absolutely no sense. There must be something simple
    I'm missing. Any idea how to debug this? Thanks!

    My rules look like this:

    cat /tmp/rules.debug

    #System aliases

    loopback = "{ lo0 }"
    LAN = "{ igb0 }"
    WAN = "{ em0 }"
    OPT1 = "{ igb1 }"

    #SSH Lockout Table
    table <sshlockout>persist
    table <webconfiguratorlockout>persist
    #Snort tables
    table <snort2c>table <virusprot># User Aliases

    Gateways

    GWGW_WAN = " route-to ( em0 88.198.239.113 ) "
    GWWANGWv6 = " route-to ( em0 2a01:4f8:7d:300::1 ) "

    set loginterface igb0
    set optimization normal
    set limit states 299000
    set limit src-nodes 299000

    set skip on pfsync0

    scrub in on $LAN all    fragment reassemble
    scrub in on $WAN all    fragment reassemble
    scrub in on $OPT1 all    fragment reassemble

    no nat proto carp
    no rdr proto carp
    nat-anchor "natearly/"
    nat-anchor "natrules/
    "

    binat on em0 from 10.0.0.0/24 to any -> 88.198.222.0/24
    binat on em0 from 10.0.0.20 to any -> 88.198.239.118

    Outbound NAT rules

    nat on $WAN  from 10.0.0.0/24 to any port 500 -> 88.198.239.114/32  static-port
    nat on $WAN  from 10.0.0.0/24 to any -> 88.198.239.114/32 port 1024:65535
    nat on $WAN  from 127.0.0.0/8 to any -> 88.198.239.114/32 port 1024:65535
    nat on $WAN  from 172.16.1.0/24 to any port 500 -> 88.198.239.114/32  static-port
    nat on $WAN  from 172.16.1.0/24 to any -> 88.198.239.114/32 port 1024:65535
    nat on $WAN  from 127.0.0.0/8 to any -> 88.198.239.114/32 port 1024:65535

    Load balancing anchor

    rdr-anchor "relayd/*"

    TFTP proxy

    rdr-anchor "tftp-proxy/*"
    table <negate_networks>{ 10.0.0.0/24 88.198.239.112/28 172.16.1.0/24 }

    UPnPd rdr anchor

    rdr-anchor "miniupnpd"

    anchor "relayd/*"
    #---------------------------------------------------------------------------

    default deny rules

    #---------------------------------------------------------------------------
    block in log inet all label "Default deny rule IPv4"
    block out log inet all label "Default deny rule IPv4"
    block in log inet6 all label "Default deny rule IPv6"
    block out log inet6 all label "Default deny rule IPv6"

    IPv6 ICMP is not auxilary, it is required for operation

    See man icmp6(4)

    1    unreach         Destination unreachable

    2    toobig          Packet too big

    128  echoreq         Echo service request

    129  echorep         Echo service reply

    133  routersol       Router solicitation

    134  routeradv       Router advertisement

    135  neighbrsol      Neighbor solicitation

    136  neighbradv      Neighbor advertisement

    pass quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} keep state

    Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep)

    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {129,133,134,135,136} keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} keep state

    We use the mighty pf, we cannot be fooled.

    block quick inet proto { tcp, udp } from any port = 0 to any
    block quick inet proto { tcp, udp } from any to any port = 0
    block quick inet6 proto { tcp, udp } from any port = 0 to any
    block quick inet6 proto { tcp, udp } from any to any port = 0

    Snort package

    block quick from <snort2c>to any label "Block snort2c hosts"
    block quick from any to <snort2c>label "Block snort2c hosts"
    block in log quick proto carp from (self) to any
    pass quick proto carp
    pass quick proto pfsync

    SSH lockout

    block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"

    webConfigurator lockout

    block in log quick proto tcp from <webconfiguratorlockout>to any port 80 label "webConfiguratorlockout"
    block in quick from <virusprot>to any label "virusprot overload table"
    antispoof for igb0

    allow access to DHCP server on LAN

    pass in on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
    pass in on $LAN proto udp from any port = 68 to 10.0.0.1 port = 67 label "allow access to DHCP server"
    pass out on $LAN proto udp from 10.0.0.1 port = 67 to any port = 68 label "allow access to DHCP server"
    table <bogons>persist file "/etc/bogons"
    table <bogonsv6>persist file "/etc/bogonsv6"

    block bogon networks

    http://www.cymru.com/Documents/bogon-bn-nonagg.txt

    http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt

    block in log quick on $WAN from <bogons>to any label "block bogon IPv4 networks from WAN"
    block in log quick on $WAN from <bogonsv6>to any label "block bogon IPv6 networks from WAN"
    antispoof for em0

    block anything from private networks on interfaces with the option set

    antispoof for $WAN
    block in log quick on $WAN from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8"
    block in log quick on $WAN from 127.0.0.0/8 to any label "Block private networks from WAN block 127/8"
    block in log quick on $WAN from 172.16.0.0/12 to any label "Block private networks from WAN block 172.16/12"
    block in log quick on $WAN from 192.168.0.0/16 to any label "Block private networks from WAN block 192.168/16"
    block in log quick on $WAN from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7"
    antispoof for igb1

    loopback

    pass in on $loopback inet all label "pass IPv4 loopback"
    pass out on $loopback inet all label "pass IPv4 loopback"
    pass in on $loopback inet6 all label "pass IPv6 loopback"
    pass out on $loopback inet6 all label "pass IPv6 loopback"

    let out anything from the firewall host itself and decrypted IPsec traffic

    pass out inet all keep state allow-opts label "let out anything IPv4 from firewall host itself"
    pass out inet6 all keep state allow-opts label "let out anything IPv6 from firewall host itself"
    pass out route-to ( em0 88.198.239.113 ) from 88.198.239.114 to !88.198.239.112/28 keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to ( em0 2a01:4f8:7d:300::1 ) inet6 from 2a01:4f8:7d:300::2 to !2a01:4f8:7d:300:0:0:0:0/56 keep state allow-opts label "let out anything from firewall host itself"

    make sure the user cannot lock himself out of the webConfigurator or SSH

    pass in quick on igb0 proto tcp from any to (igb0) port { 80 22 } keep state label "anti-lockout rule"

    User-defined rules follow

    anchor "userrules/*"
    pass  in  quick  on $WAN reply-to ( em0 88.198.239.113 )  proto icmp  from any to any keep state  label "USER_RULE: allow ICMP ping from WAN"
    pass  in  quick  on $WAN reply-to ( em0 2a01:4f8:7d:300::1 ) inet6 proto ipv6-icmp  from any to any keep state  label "USER_RULE: allow IPv6 ICMP ping from WAN"
    pass  in  quick  on $WAN reply-to ( em0 88.198.239.113 )  proto tcp  from any to 88.198.239.114 port 22  flags S/SA keep state  label "USER_RULE: allow SSH administration on WAN"
    pass  in  quick  on $WAN reply-to ( em0 88.198.239.113 )  proto tcp  from any to 88.198.239.114 port 80  flags S/SA keep state  label "USER_RULE: allow HTTP administration on WAN"
    pass  in  quick  on $WAN reply-to ( em0 88.198.239.113 )  proto tcp  from any to 88.198.239.114 port 443  flags S/SA keep state  label "USER_RULE: allow HTTPS administration on WAN"
    pass  in  quick  on $WAN reply-to ( em0 88.198.239.113 ) inet proto { tcp udp }  from any to   88.198.239.118 port 80  keep state  label "USER_RULE: NAT "
    pass  in  quick  on $WAN reply-to ( em0 88.198.239.113 ) inet proto { tcp udp }  from any to   88.198.222.0/24 keep state  label "USER_RULE: NAT "
    pass  in  quick  on $WAN reply-to ( em0 88.198.239.113 ) inet proto { tcp udp }  from any to   10.0.0.20 keep state  label "USER_RULE"
    pass  in  quick  on $WAN reply-to ( em0 88.198.239.113 ) inet proto { tcp udp }  from any to   10.0.0.2 keep state  label "USER_RULE"
    pass  in  quick  on $WAN reply-to ( em0 88.198.239.113 ) inet proto { tcp udp }  from any to   10.0.0.3 keep state  label "USER_RULE"
    pass  in  quick  on $OPT1  from any to any keep state  label "USER_RULE"

    VPN Rules

    anchor "tftp-proxy/*"</bogonsv6></bogons></bogonsv6></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></negate_networks></virusprot></snort2c></webconfiguratorlockout></sshlockout>


Log in to reply