1:1 NAT? VIP? Trying to create what I believe is a transparent bridge
-
I am a relative network and firewall n00b although I have extensive time spent managing such infrastructure I was never formally trained.
I plan to setup at a cloud hosting provider that provides public VPS. I would like one server to be a pfSense box. I have it configured with a LAN/WAN bridge, LAN has no IP and WAN has the first public IP (lets call this 10.1.5.5 for demonstration). What I would like is for the rest of the "internal" network (10.1.5.6-22) to pass through the WAN/LAN bridge (of course filtering rules will then be added).
I have tried NAT and VIPs and various other items I have found online including the very nice transparent bridge PDF I have seen floating around. The issue I have, at least I think, is that I am not using a real "network" just a handful of IPs. I think I am also using pfSense in a somewhat non-traditional method. We host websites and other public items so there is no LAN/DMZ difference to us. This is at a datacenter and everything on the "LAN" side is public one way or another. We just want to allow the various ports that need to pass and deny the rest. Public IP's are easier to manage for us since everything has one, no real reason to use any sort of private addressing.
Based on my setup I have my LAN systems using the pfSense WAN IP as the gateway. I believe that is how the routing needs to work in my setup. Traffic goes out from the LAN just fine, so browsing the web from a LAN side computer is fine. However traffic in is getting blocked on the return. I think this might be a NAT reflection or some sort of routing issue that is causing the traffic to return on a different route. The logs show the traffic returning from the LAN side client to the WAN client is being blocked via a default rule (@3) and I am getting TCP:SA or TCP:SAE reasoning.
I feel like this solution should be somewhat straight forward but without my full understanding of networking I am at a loss as to what to try now.
I have turned filtering on and off for the bridge… I have put allow all rules on all 3 interfaces, etc. It should be wide open as far as I can see and the firewall log seems to indicate it is a default rule. I tried 1:1 NAT for the remainder of the addresses (.6-.22) to see if that might solve the issue. Tried similarly with VIPS and with Outbound NAT.
At one point my LAN clients were identifying to the outside as having the pfSense WAN IP. I believe one of the above items solved that but I am still unable to get a response from the WAN side back out.
Any help?
-
Not sure if I can bump here but seems appropriate. I have read many prior discussions about 1:1 NAT, Outbound NAT, reflection, VIPs, etc. Round and round I have gone but I still can't figure out the scenario I am looking for, which seems a basic implementation.