Trying to use policy based routing for 1:1 NAT connection.

  • Am trying to migrate from is currently two PFSence 1.2.3 machines onto one PFSense 2.x, which with Policy based routing in theory (hopefully) should be possible.

    My test system is perhaps technically not "multi homed" in the sense that it only has one physical LAN and one physical WAN interface, but there are 3 Gateways of relevance on the WAN network. Hence the need to route specific traffic differently, and from a logical, at least GW viewpoint is kind of is "Multi WAN".

    To explain:

    We have a class C registered IP network which we will call x.y.z.0/24

    This network has the following gateways:

    x.y.z.1 is a Cisco router routing our live IP address space to/from the internet (on a 512K leased line). This is the (only) route from the internet INTO our class address space on which we run DNS servers, some Email servers, and various other bits. The relatively low speed of this line means that we need to ensure that only the specific traffic that needs to use LIVE IP addresses go through this gateway.

    x.y.z.100 is the LAN interface of an ADSL router which have a WAN IP that are DHCP assigned by the ISP.
    Has a 10Mbit uncapped ADSL connection.
    This is intended for general internet access from the office.

    x.y.z.101  is the LAN interface of a second ADSL router which also have a WAN IP that are DHCP assigned by the ISP.
    Also has a 10Mbit ADSL connection. It can be used (as a backup) for general internet access, but is primarily used for VPN connections from a few alternate locations  and a handful of remote workers.

    I am testing a PFSence install with WAN address x.y.z.32 and Lan address

    I have tried a few versions including and after the latest stable release. And am now on:

    2.1-BETA0 (i386)
    built on Tue Oct 2 18:09:25 EDT 2012
    FreeBSD 8.3-RELEASE-p4

    I have disabled all outbound NAT on this PFSense. The ADSL routers have to do outbound NAT and I’m not keen to have it done twice. On a normal “good” day I would want to set the x.y.z.100 ADSL router as the default gateway for PFSence. If/when that line fails, I would (manually) change the default GW to x.y.z.101. We have at this point no need/desire to run load balancing or any automatic fail over or such.

    All good so far, but here comes the problem:

    There are a few machines on our LAN network which needs to be reachable from outside (using Public IP’s).

    At this point, as a test I have created a virtual IP of x.y.z.20 on the WAN interface, and set up 1:1 NAT for x.y.z.20 to and obviously a firewall rule allowing access from the WAN.

    The 1:1 NAT works fine from the local WAN network (x.y.z.0/24) itself, but here comes the problem….

    In order to use it from the outside world, I am trying to set up policy based routing, - so that whenever someone from the outside is connecting into the NATTED IP (x.y.z.20  or which ever you like to refer to it as) then PFSense should send the response out via the x.y.z.1 gw and NOT the default gw.

    It's the one thing that PFSense policy based routing doesn’t seem able to do.

    A LAN rule with as the source host will indeed direct everything coming from my PC on the LAN to go via the my chosen GW using the Natted IP and all. But only if the connection is initiated from my machine. If it’s initiated from the outside then PFSense still insist on sending the resposse to the Default GW.

    I really have tried every possible (rational as well as irrational I can think of) way of firewall rule to try and catch this with a “policy”.  For the purpose of testing I have even tried a floating rule that sends ANY traffic out of PFSense -not destined for the LAN to go via GW x.y.z.1.  This effectively “overrules” the default gateway for everything except the exact the one purpose I am trying to target with the rule. Even with this rule PFSense still  send responses for anything send to the virtual IP from the from outside to my Default GW (X.Y.Z.100) and not to .1 specified in the rule.

    I can’t think of a more wide open rule than this to try and catch the connection with and my conclusion is therefore that this particular connection can’t be caught and re-directed to another GW with any firewall rule at all.

    For the virtual IP I have tried both “Proxy arp” and “IP Alias” with same result. Have also tried various rule-pairs that use “State” set to none as I can see how trying to keep track of a connection state could affect this. All with no success. The ONLY way I can get this 1:1 nat to work from the outside is by setting the default gateway to x.y.z.1

    With the default gateway set to x.y.z.1 I can then in theory set up policy base routing for literally everything else that PFSense needs to do for us. This would probably work, so there might be a “workaround” option for me there, but it’s a bit awkward. I would far prefer to be able to specify rules that use special policy based routing (exceptions) for any traffic involving the virtual IP’s (Or the equivalent LAN IP used in my 1:1 NAT translations).

    If it can be done then I am obviously missing something basic somewhere. Any hints would be very much appreciated.

    Kind Regards,
    Bent Hansen.

Log in to reply