NAT Filter or Host Based NAT : OpenVPN TCP 443 and HTTPS Site with 1 IP



  • Hi all,

    I'm trying to setup an OpenVPN server that will work on some of the more restrictive networks using TCP 443 but I am already using that port for Exchange Web Services (OWA, Activesync etc) and I only have 1 dynamically assigned IP. I've been able to get everything to work using dyndns and cnames but I can't get over the 1 IP same NAT port issue in this instance.

    I'm assuming something like a host based NAT probably will not work as it all translates to IP at this level but I wasn't sure if maybe this could be a path to differentiate traffic. Perhaps there is a way to create a NAT Policy or Filter that can separate the traffic and redirect based on the service? Maybe a policy that checks for HTTP header values or something of the sort?

    Please don't suggest using UDP 443 as I understand I can do this but some public networks restrict even this.



  • Ok so I tried I have a NAT rule for TCP 443 to my Exchange server

    WAN TCP * * WAN address 443 (HTTPS) 10.0.0.20 443 (HTTPS) OWA HTTPS

    And 2 firewall rules with the OpenVPN TCP 443 rule above the OWA TCP 443 rule.

    TCP * * WAN address 443 (HTTPS) * none   OpenVPN TCP 443
    TCP * * 10.0.0.20 443 (HTTPS) * none   NAT OWA HTTPS

    Now when I look at the logs I see that the NAT rule is processing all traffic on 443 to the internal IP 10.0.0.20. I can't really differentiate the traffic unfortunately based on the raw logs, I was expecting raw logs with no cleanup/formatting so I could identify TCP headers for a possible filter. I have experience with wireshark, but I'll try to use the tools available in PFSense BSD first http://doc.pfsense.org/index.php/Sniffers,_Packet_Capture.

    So my questions is if I could find a way to identify and segregate the OpenVPN traffic (maybe limit the port range it uses for the outbound connection, though I don't think this is possible from the client end), could I create a higher ranking NAT rule for OpenVPN traffic with a NO RDR option so that the matching traffic would not be NAT'd and stay at the firewall WAN level? Could this be a possible option or am I going about this the wrong way? Is this even possible or am I just wasting my time  :-\

    Syslog traffic below, OpenVPN traffic on top of the break, below is activesync/OWA traffic:

    4/18/13 15:47	pf: 198.228.195.205.58944 > 10.0.0.20.443: Flags [s], cksum 0xa092 (correct), seq 3348006027, win 65535, options [mss 1370,nop,wscale 4,nop,nop,TS val 579578718 ecr 0,sackOK,eol], length 0
    4/18/13 15:47	pf: 198.228.195.205.60933 > 10.0.0.20.443: Flags [s], cksum 0xea7a (correct), seq 170129620, win 65535, options [mss 1370,nop,wscale 4,nop,nop,TS val 579576531 ecr 0,sackOK,eol], length 0
    4/18/13 15:47	pf: 198.228.195.205.43669 > 10.0.0.20.443: Flags [s], cksum 0xe4a2 (correct), seq 2999493501, win 65535, options [mss 1370,nop,wscale 4,nop,nop,TS val 579573965 ecr 0,sackOK,eol], length 0
    4/18/13 15:47	pf: 198.228.195.205.54985 > 10.0.0.20.443: Flags [s], cksum 0xc975 (correct), seq 183583459, win 65535, options [mss 1370,nop,wscale 4,nop,nop,TS val 579571768 ecr 0,sackOK,eol], length 0
    4/18/13 15:47	pf: 198.228.195.205.61652 > 10.0.0.20.443: Flags [s], cksum 0x3617 (correct), seq 2785225223, win 65535, options [mss 1370,nop,wscale 4,nop,nop,TS val 579569493 ecr 0,sackOK,eol], length 0
    4/18/13 15:47	pf: 198.228.195.205.48127 > 10.0.0.20.443: Flags [s], cksum 0x6308 (correct), seq 3181388550, win 65535, options [mss 1370,nop,wscale 4,nop,nop,TS val 579567261 ecr 0,sackOK,eol], length 0
    4/18/13 15:47	pf: 198.228.195.205.49842 > 10.0.0.20.443: Flags [s], cksum 0xfb13 (correct), seq 3121582231, win 65535, options [mss 1370,nop,wscale 4,nop,nop,TS val 579565022 ecr 0,sackOK,eol], length 0
    4/18/13 15:47	pf: 198.228.195.205.55274 > 10.0.0.20.443: Flags [s], cksum 0xbe34 (correct), seq 760106424, win 65535, options [mss 1370,nop,wscale 4,nop,nop,TS val 579562790 ecr 0,sackOK,eol], length 0
    4/18/13 15:47	pf: 198.228.195.205.56671 > 10.0.0.20.443: Flags [s], cksum 0x0df5 (correct), seq 37366858, win 65535, options [mss 1370,nop,wscale 4,nop,nop,TS val 579560563 ecr 0,sackOK,eol], length 0
    4/18/13 15:47	pf: 198.228.195.205.62598 > 10.0.0.20.443: Flags [s], cksum 0x619b (correct), seq 605399094, win 65535, options [mss 1370,nop,wscale 4,nop,nop,TS val 579558366 ecr 0,sackOK,eol], length 0
    4/18/13 15:47	pf: 198.228.195.205.54937 > 10.0.0.20.443: Flags [s], cksum 0x4e4a (correct), seq 2791727056, win 65535, options [mss 1370,nop,wscale 4,nop,nop,TS val 579556145 ecr 0,sackOK,eol], length 0
    4/18/13 15:47	pf: 198.228.195.205.45945 > 10.0.0.20.443: Flags [s], cksum 0x67c5 (correct), seq 1454493309, win 65535, options [mss 1370,nop,wscale 4,nop,nop,TS val 579550686 ecr 0,sackOK,eol], length 0
    
    ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    
    4/18/13 15:44	pf: 198.228.195.205.34547 > 10.0.0.20.443: Flags [s], cksum 0x2401 (correct), seq 3553437615, win 65535, options [mss 1370,nop,wscale 4,nop,nop,TS val 579393501 ecr 0,sackOK,eol], length 0
    4/18/13 15:44	pf: 198.228.195.205.46676 > 10.0.0.20.443: Flags [s], cksum 0xfef9 (correct), seq 4219731267, win 65535, options [mss 1370,nop,wscale 4,nop,nop,TS val 579391544 ecr 0,sackOK,eol], length 0
    4/18/13 15:44	pf: 198.228.195.205.58534 > 10.0.0.20.443: Flags [s], cksum 0x20ae (correct), seq 2435589393, win 65535, options [mss 1370,nop,wscale 4,nop,nop,TS val 579388092 ecr 0,sackOK,eol], length 0
    4/18/13 15:44	pf: 198.228.195.205.43232 > 10.0.0.20.443: Flags [s], cksum 0x66e7 (correct), seq 4015703111, win 65535, options [mss 1370,nop,wscale 4,nop,nop,TS val 579386084 ecr 0,sackOK,eol], length 0
    4/18/13 15:44	pf: 198.228.195.205.48575 > 10.0.0.20.443: Flags [s], cksum 0x72ad (correct), seq 3783392421, win 65535, options [mss 1370,nop,wscale 4,nop,nop,TS val 579366842 ecr 0,sackOK,eol], length 0
    4/18/13 15:43	pf: 198.228.195.205.58096 > 10.0.0.20.443: Flags [s], cksum 0xd831 (correct), seq 184050056, win 65535, options [mss 1370,nop,wscale 4,nop,nop,TS val 579360428 ecr 0,sackOK,eol], length 0
    4/18/13 15:43	pf: 198.228.195.205.61728 > 10.0.0.20.443: Flags [s], cksum 0x6ba6 (correct), seq 86560068, win 65535, options [mss 1370,nop,wscale 4,nop,nop,TS val 579358491 ecr 0,sackOK,eol], length 0
    4/18/13 15:43	pf: 198.228.195.205.53083 > 10.0.0.20.443: Flags [s], cksum 0x8854 (correct), seq 2899925217, win 65535, options [mss 1370,nop,wscale 4,nop,nop,TS val 579346660 ecr 0,sackOK,eol], length 0
    4/18/13 15:43	pf: 198.228.195.205.55711 > 10.0.0.20.443: Flags [s], cksum 0xf76d (correct), seq 157844901, win 65535, options [mss 1370,nop,wscale 4,nop,nop,TS val 579345972 ecr 0,sackOK,eol], length 0
    4/18/13 15:43	pf: 198.228.195.205.41013 > 10.0.0.20.443: Flags [s], cksum 0xa2c9 (correct), seq 712934564, win 65535, options [mss 1370,nop,wscale 4,nop,nop,TS val 579308590 ecr 0,sackOK,eol], length 0
    4/18/13 15:42	pf: 198.228.195.205.57399 > 10.0.0.20.443: Flags [s], cksum 0xa875 (correct), seq 3484605632, win 65535, options [mss 1370,nop,wscale 4,nop,nop,TS val 579291439 ecr 0,sackOK,eol], length 0
    4/18/13 15:42	pf: 198.228.195.205.50399 > 10.0.0.20.443: Flags [s], cksum 0x657b (correct), seq 1854186499, win 65535, options [mss 1370,nop,wscale 4,nop,nop,TS val 579289453 ecr 0,sackOK,eol], length 0
    4/18/13 15:42	pf: 198.228.195.205.45180 > 10.0.0.20.443: Flags [s], cksum 0x7eff (correct), seq 1039193197, win 65535, options [mss 1370,nop,wscale 4,nop,nop,TS val 579288182 ecr 0,sackOK,eol], length 0
    4/18/13 15:42	pf: 198.228.195.205.38243 > 10.0.0.20.443: Flags [s], cksum 0xa890 (correct), seq 60360761, win 65535, options [mss 1370,nop,wscale 4,nop,nop,TS val 579286154 ecr 0,sackOK,eol], length 0
    4/18/13 15:39	pf: 198.228.195.205.62000 > 10.0.0.20.443: Flags [s], cksum 0x9d74 (correct), seq 2146237911, win 65535, options [mss 1370,nop,wscale 4,nop,nop,TS val 579170536 ecr 0,sackOK,eol], length 0
    4/18/13 15:39	pf: 198.228.195.205.39330 > 10.0.0.20.443: Flags [s], cksum 0xab83 (correct), seq 489010160, win 65535, options [mss 1370,nop,wscale 4,nop,nop,TS val 579168278 ecr 0,sackOK,eol], length 0
    4/18/13 15:39	pf: 198.228.195.205.44614 > 10.0.0.20.443: Flags [s], cksum 0x7b9d (correct), seq 1220521392, win 65535, options [mss 1370,nop,wscale 4,nop,nop,TS val 579165694 ecr 0,sackOK,eol], length 0
    4/18/13 15:39	pf: 198.228.195.205.40534 > 10.0.0.20.443: Flags [s], cksum 0x23c3 (correct), seq 1803877687, win 65535, options [mss 1370,nop,wscale 4,nop,nop,TS val 579163004 ecr 0,sackOK,eol], length 0
    4/18/13 15:39	pf: 198.228.195.205.32966 > 10.0.0.20.443: Flags [s], cksum 0x7e37 (correct), seq 3529073158, win 65535, options [mss 1370,nop,wscale 4,nop,nop,TS val 579160820 ecr 0,sackOK,eol], length 0
    4/18/13 15:39	pf: 198.228.195.205.35285 > 10.0.0.20.443: Flags [s], cksum 0xbc97 (correct), seq 2474074591, win 65535, options [mss 1370,nop,wscale 4,nop,nop,TS val 579158670 ecr 0,sackOK,eol], length 0
    4/18/13 15:39	pf: 198.228.195.205.48047 > 10.0.0.20.443: Flags [s], cksum 0x0b68 (correct), seq 3852443177, win 65535, options [mss 1370,nop,wscale 4,nop,nop,TS val 579154801 ecr 0,sackOK,eol], length 0
    4/18/13 15:39	pf: 198.228.195.205.32641 > 10.0.0.20.443: Flags [s], cksum 0xeafb (correct), seq 941142266, win 65535, options [mss 1370,nop,wscale 4,nop,nop,TS val 579152578 ecr 0,sackOK,eol], length 0
    4/18/13 15:39	pf: 198.228.195.205.39123 > 10.0.0.20.443: Flags [s], cksum 0xa307 (correct), seq 3360643073, win 65535, options [mss 1370,nop,wscale 4,nop,nop,TS val 579150374 ecr 0,sackOK,eol], length 0
    4/18/13 15:39	pf: 198.228.195.205.39135 > 10.0.0.20.443: Flags [s], cksum 0x713d (correct), seq 4104414706, win 65535, options [mss 1370,nop,wscale 4,nop,nop,TS val 579148190 ecr 0,sackOK,eol], length 0
    4/18/13 15:38	pf: 198.228.195.205.54740 > 10.0.0.20.443: Flags [s], cksum 0x49ce (correct), seq 2451880837, win 65535, options [mss 1370,nop,wscale 4,nop,nop,TS val 579145989 ecr 0,sackOK,eol], length 0
    4/18/13 15:38	pf: 198.228.195.205.49913 > 10.0.0.20.443: Flags [s], cksum 0x4650 (correct), seq 3024926756, win 65535, options [mss 1370,nop,wscale 4,nop,nop,TS val 579143831 ecr 0,sackOK,eol], length 0
    4/18/13 15:38	pf: 198.228.195.205.36552 > 10.0.0.20.443: Flags [s], cksum 0x82e9 (correct), seq 296769758, win 65535, options [mss 1370,nop,wscale 4,nop,nop,TS val 579142162 ecr 0,sackOK,eol], length 0[/s][/s][/s][/s][/s][/s][/s][/s][/s][/s][/s][/s][/s][/s][/s][/s][/s][/s][/s][/s][/s][/s][/s][/s][/s][/s][/s][/s][/s][/s][/s][/s][/s][/s][/s][/s][/s][/s][/s]
    

Log in to reply