Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    a somewhat strange problem with VIP 1:1 NAT reachability

    HA/CARP/VIPs
    1
    1
    2047
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      eleitl last edited by

      I've got a /28 and 3x /24 the latter of which I want to map
      1:1 to private address space (e.g. each /24 to 10.0.x.0/24).

      My pfSense version is 2.1-DEVELOPMENT (i386)
      built on Fri Oct 21 12:51:56 EDT 2011

      I've got a setup where hosts and firewalls look like this

      WAN             LAN
      switch1 - fw1 - switch2
           | - fw2 - |
           | - ho1 - |
           | - … - |

      The hosts have two NICs (for WAN and LAN) and have currently                                                                                                            
      virtual guests bound the WAN interface, thus bypassing the
      firewalls. I now want to renumber the guests to private
      address space, and let the firewall deal with network
      mapping and traffic filtering.

      The lan switch is managed, and is assigned an address
      10.0.0.x via fw1 DHCP.

      I've defined VIPs (type Proxy ARP, matching one public /24)
      and created a Firewall NAT 1:1 mapping as well as firewall                                                                                                              
      rules to pass the relevant traffic. I've disabled the
      WAN switch port (by putting it on an unreachable VLAN)                                                                                                                  
      so that virtual guests bound to the same /24 are out of
      the loop for testing. I have not disabled any                                                                                                                            
      other hosts on the switch.

      Now the strange thing is that I can see the switch IP via
      the external mapped IP (two of them, in fact), but nothing
      else (but the gateway). nmap from within the network sees
      the other IPs fine.

      This makes absolutely no sense. There must be something simple
      I'm missing. Any idea how to debug this? Thanks!

      My rules look like this:

      cat /tmp/rules.debug

      #System aliases

      loopback = "{ lo0 }"
      LAN = "{ igb0 }"
      WAN = "{ em0 }"
      OPT1 = "{ igb1 }"

      #SSH Lockout Table
      table <sshlockout>persist
      table <webconfiguratorlockout>persist
      #Snort tables
      table <snort2c>table <virusprot># User Aliases

      Gateways

      GWGW_WAN = " route-to ( em0 88.198.239.113 ) "
      GWWANGWv6 = " route-to ( em0 2a01:4f8:7d:300::1 ) "

      set loginterface igb0
      set optimization normal
      set limit states 299000
      set limit src-nodes 299000

      set skip on pfsync0

      scrub in on $LAN all    fragment reassemble
      scrub in on $WAN all    fragment reassemble
      scrub in on $OPT1 all    fragment reassemble

      no nat proto carp
      no rdr proto carp
      nat-anchor "natearly/"
      nat-anchor "natrules/
      "

      binat on em0 from 10.0.0.0/24 to any -> 88.198.222.0/24
      binat on em0 from 10.0.0.20 to any -> 88.198.239.118

      Outbound NAT rules

      nat on $WAN  from 10.0.0.0/24 to any port 500 -> 88.198.239.114/32  static-port
      nat on $WAN  from 10.0.0.0/24 to any -> 88.198.239.114/32 port 1024:65535
      nat on $WAN  from 127.0.0.0/8 to any -> 88.198.239.114/32 port 1024:65535
      nat on $WAN  from 172.16.1.0/24 to any port 500 -> 88.198.239.114/32  static-port
      nat on $WAN  from 172.16.1.0/24 to any -> 88.198.239.114/32 port 1024:65535
      nat on $WAN  from 127.0.0.0/8 to any -> 88.198.239.114/32 port 1024:65535

      Load balancing anchor

      rdr-anchor "relayd/*"

      TFTP proxy

      rdr-anchor "tftp-proxy/*"
      table <negate_networks>{ 10.0.0.0/24 88.198.239.112/28 172.16.1.0/24 }

      UPnPd rdr anchor

      rdr-anchor "miniupnpd"

      anchor "relayd/*"
      #---------------------------------------------------------------------------

      default deny rules

      #---------------------------------------------------------------------------
      block in log inet all label "Default deny rule IPv4"
      block out log inet all label "Default deny rule IPv4"
      block in log inet6 all label "Default deny rule IPv6"
      block out log inet6 all label "Default deny rule IPv6"

      IPv6 ICMP is not auxilary, it is required for operation

      See man icmp6(4)

      1    unreach         Destination unreachable

      2    toobig          Packet too big

      128  echoreq         Echo service request

      129  echorep         Echo service reply

      133  routersol       Router solicitation

      134  routeradv       Router advertisement

      135  neighbrsol      Neighbor solicitation

      136  neighbradv      Neighbor advertisement

      pass quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} keep state

      Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep)

      pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} keep state
      pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} keep state
      pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} keep state
      pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {129,133,134,135,136} keep state
      pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} keep state

      We use the mighty pf, we cannot be fooled.

      block quick inet proto { tcp, udp } from any port = 0 to any
      block quick inet proto { tcp, udp } from any to any port = 0
      block quick inet6 proto { tcp, udp } from any port = 0 to any
      block quick inet6 proto { tcp, udp } from any to any port = 0

      Snort package

      block quick from <snort2c>to any label "Block snort2c hosts"
      block quick from any to <snort2c>label "Block snort2c hosts"
      block in log quick proto carp from (self) to any
      pass quick proto carp
      pass quick proto pfsync

      SSH lockout

      block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"

      webConfigurator lockout

      block in log quick proto tcp from <webconfiguratorlockout>to any port 80 label "webConfiguratorlockout"
      block in quick from <virusprot>to any label "virusprot overload table"
      antispoof for igb0

      allow access to DHCP server on LAN

      pass in on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
      pass in on $LAN proto udp from any port = 68 to 10.0.0.1 port = 67 label "allow access to DHCP server"
      pass out on $LAN proto udp from 10.0.0.1 port = 67 to any port = 68 label "allow access to DHCP server"
      table <bogons>persist file "/etc/bogons"
      table <bogonsv6>persist file "/etc/bogonsv6"

      block bogon networks

      http://www.cymru.com/Documents/bogon-bn-nonagg.txt

      http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt

      block in log quick on $WAN from <bogons>to any label "block bogon IPv4 networks from WAN"
      block in log quick on $WAN from <bogonsv6>to any label "block bogon IPv6 networks from WAN"
      antispoof for em0

      block anything from private networks on interfaces with the option set

      antispoof for $WAN
      block in log quick on $WAN from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8"
      block in log quick on $WAN from 127.0.0.0/8 to any label "Block private networks from WAN block 127/8"
      block in log quick on $WAN from 172.16.0.0/12 to any label "Block private networks from WAN block 172.16/12"
      block in log quick on $WAN from 192.168.0.0/16 to any label "Block private networks from WAN block 192.168/16"
      block in log quick on $WAN from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7"
      antispoof for igb1

      loopback

      pass in on $loopback inet all label "pass IPv4 loopback"
      pass out on $loopback inet all label "pass IPv4 loopback"
      pass in on $loopback inet6 all label "pass IPv6 loopback"
      pass out on $loopback inet6 all label "pass IPv6 loopback"

      let out anything from the firewall host itself and decrypted IPsec traffic

      pass out inet all keep state allow-opts label "let out anything IPv4 from firewall host itself"
      pass out inet6 all keep state allow-opts label "let out anything IPv6 from firewall host itself"
      pass out route-to ( em0 88.198.239.113 ) from 88.198.239.114 to !88.198.239.112/28 keep state allow-opts label "let out anything from firewall host itself"
      pass out route-to ( em0 2a01:4f8:7d:300::1 ) inet6 from 2a01:4f8:7d:300::2 to !2a01:4f8:7d:300:0:0:0:0/56 keep state allow-opts label "let out anything from firewall host itself"

      make sure the user cannot lock himself out of the webConfigurator or SSH

      pass in quick on igb0 proto tcp from any to (igb0) port { 80 22 } keep state label "anti-lockout rule"

      User-defined rules follow

      anchor "userrules/*"
      pass  in  quick  on $WAN reply-to ( em0 88.198.239.113 )  proto icmp  from any to any keep state  label "USER_RULE: allow ICMP ping from WAN"
      pass  in  quick  on $WAN reply-to ( em0 2a01:4f8:7d:300::1 ) inet6 proto ipv6-icmp  from any to any keep state  label "USER_RULE: allow IPv6 ICMP ping from WAN"
      pass  in  quick  on $WAN reply-to ( em0 88.198.239.113 )  proto tcp  from any to 88.198.239.114 port 22  flags S/SA keep state  label "USER_RULE: allow SSH administration on WAN"
      pass  in  quick  on $WAN reply-to ( em0 88.198.239.113 )  proto tcp  from any to 88.198.239.114 port 80  flags S/SA keep state  label "USER_RULE: allow HTTP administration on WAN"
      pass  in  quick  on $WAN reply-to ( em0 88.198.239.113 )  proto tcp  from any to 88.198.239.114 port 443  flags S/SA keep state  label "USER_RULE: allow HTTPS administration on WAN"
      pass  in  quick  on $WAN reply-to ( em0 88.198.239.113 ) inet proto { tcp udp }  from any to   88.198.239.118 port 80  keep state  label "USER_RULE: NAT "
      pass  in  quick  on $WAN reply-to ( em0 88.198.239.113 ) inet proto { tcp udp }  from any to   88.198.222.0/24 keep state  label "USER_RULE: NAT "
      pass  in  quick  on $WAN reply-to ( em0 88.198.239.113 ) inet proto { tcp udp }  from any to   10.0.0.20 keep state  label "USER_RULE"
      pass  in  quick  on $WAN reply-to ( em0 88.198.239.113 ) inet proto { tcp udp }  from any to   10.0.0.2 keep state  label "USER_RULE"
      pass  in  quick  on $WAN reply-to ( em0 88.198.239.113 ) inet proto { tcp udp }  from any to   10.0.0.3 keep state  label "USER_RULE"
      pass  in  quick  on $OPT1  from any to any keep state  label "USER_RULE"

      VPN Rules

      anchor "tftp-proxy/*"</bogonsv6></bogons></bogonsv6></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></negate_networks></virusprot></snort2c></webconfiguratorlockout></sshlockout>

      1 Reply Last reply Reply Quote 0
      • First post
        Last post

      Products

      • Platform Overview
      • TNSR
      • pfSense
      • Appliances

      Services

      • Training
      • Professional Services

      Support

      • Subscription Plans
      • Contact Support
      • Product Lifecycle
      • Documentation

      News

      • Media Coverage
      • Press
      • Events

      Resources

      • Blog
      • FAQ
      • Find a Partner
      • Resource Library
      • Security Information

      Company

      • About Us
      • Careers
      • Partners
      • Contact Us
      • Legal
      Our Mission

      We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

      Subscribe to our Newsletter

      Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

      © 2021 Rubicon Communications, LLC | Privacy Policy