New to pfSense: Question about address translation between LAN & OPT1



  • Hi!

    I'm new to pfSense so forgive me if this question is stupid or in the wrong category!

    My pfSense installation has 3 ethernet ports, WAN, LAN and OPT1.  Everything works great but I want to add a function and have just no idea how to do it with pfSense.

    The OPT1 subnet is 192.168.1.0/24 and the LAN is 172.16.1.0/24.

    I have a http server on the LAN subnet 172.16.1.200 that I want to access from the OPT1 subnet but I want it to appear as if the http server is on the OPT1 address of pfSense 192.168.1.250.

    So when 192.168.1.250:80 is accessed from the OPT1 subnet I want it translated into 172.16.1.200:80 on the LAN subnet.

    How do I do that?

    Thanks,
    Pete



  • Don't know if it works like you want but you can create pirtforwards on every interface.

    Just go to Firewall -> NAT -> PortForward and select your LAN/OPT interface and redirect the traffic you want.

    Source OPT
    Destination 192.168.0.250:80
    Redirect 172.16.1.200:80

    Make sure your pfsense GUI is on different port than 80 if 192.168.0.250:80 is your pfsense GUI.



  • Thanks, I will give that a try and see how it works!

    Does that also mean that 1:1 NAT will work between the different interfaces?

    Also didn't realize that pfSense's webserver is bound to both the LAN and OPT1 interface. Is that default behavior?

    Best Regards,
    Pete



  • Does that also mean that 1:1 NAT will work between the different interfaces?

    Yes, should do.

    Also didn't realize that pfSense's webserver is bound to both the LAN and OPT1 interface. Is that default behavior

    Yes, the webGUI is listening on all interfaces. If you add a rule to pass traffic to the IP of an interface and the webGUI port (80, 443, whatever) then you can access it there, so general pass all rules on LAN-style interfaces will allow users on those subnets to attempt to login to your pfSense. That applies to WAN also, so it is possible to allow webGUI access from WAN - normally not what you want if WAN is on the public internet, but useful for "one-armed router" configurations where you just have WAN - which is really sitting on your LAN and providing some service/s, like an OpenVPN server or…



  • @Nachtfalke:

    Don't know if it works like you want but you can create pirtforwards on every interface.

    Just go to Firewall -> NAT -> PortForward and select your LAN/OPT interface and redirect the traffic you want.

    Source OPT
    Destination 192.168.0.250:80
    Redirect 172.16.1.200:80

    OK, I've tried that now and it works almost as expected.

    Well it works as it should, but there is now a rule that exposes the redirected address 172.16.1.200:80 directly on the OPT subnet. If I remove the rule the port forwarding stops working.

    So the users on the OPT subnet can reach the 192.168.0.250:80 as expected but also 172.16.1.200:80 directly.

    How can I stop that from happening? Edit: Found solution, see below.

    Thanks,
    Pete

    Edit: I found the "Filter rule association" option when creating the Firewall: NAT: Port Forward and set it to pass.
    Now it seems to works as I want -  users on the OPT subnet can reach the 192.168.0.250:80 but the 172.16.1.200:80 is hidden from them.



  • @phil.davis:

    Also didn't realize that pfSense's webserver is bound to both the LAN and OPT1 interface. Is that default behavior

    Yes, the webGUI is listening on all interfaces. If you add a rule to pass traffic to the IP of an interface and the webGUI port (80, 443, whatever) then you can access it there, so general pass all rules on LAN-style interfaces will allow users on those subnets to attempt to login to your pfSense. That applies to WAN also, so it is possible to allow webGUI access from WAN - normally not what you want if WAN is on the public internet, but useful for "one-armed router" configurations where you just have WAN - which is really sitting on your LAN and providing some service/s, like an OpenVPN server or…

    OK thanks, I understand. So if I have any other rules that might allow port 80 on the IP address of pfsense on that interface (OPT1 in my case) then I need to block that.

    Are there any settings to change what interfaces the webGUI binds to? Or maybe configuration files I could edit without the edits getting overwritten?

    Thanks,
    Pete


  • Netgate Administrator

    You could change the port that the pfSense gui runs on and then block that.

    Steve


  • Rebel Alliance Global Moderator

    "So when 192.168.1.250:80 is accessed from the OPT1 subnet I want it translated into 172.16.1.200:80 on the LAN subnet."

    If you don't mind me asking - my curiosity urges me to know why you would want to do such a thing?



  • @johnpoz:

    "So when 192.168.1.250:80 is accessed from the OPT1 subnet I want it translated into 172.16.1.200:80 on the LAN subnet."

    If you don't mind me asking - my curiosity urges me to know why you would want to do such a thing?

    The OPT1 subnet will have wifi access and be less secure than LAN subnet. We want to expose a few services from the LAN subnet to the OPT1 subnet. To make it as easy as possible for the clients on the OPT1 subnet, everything will be accessed from the gateway IP address. That also means that the real location of the services and network structure behind is hidden. It's also a flexible approach if we want to move things around as we only have to change the port forwards in the router.


  • Rebel Alliance Global Moderator

    Hidden – its a private ip address, they are accessing it.. Its not hidden be it they use a different ip to access it or not.

    How is accessing the gateway IP simpler than say a FQDN that points to the IP of the server..  And a simple rule that allows that specific traffic?

    Would seem simpler to just change the dns record if you "move things around" ??

    Good luck - seems like more work for no reason when you could just give them a simple fqdn to use like www.local.lan



  • I would go the way with DNS, too.

    There is no difference if you have to add a firewall rule from OPT to LAN for one specific port (80) or if you add a port forward and this port forward creates a firewall rule. It is the same.

    I did something similar for my clients using WSUS. I added the WSUS to the clients with FQDN "MY.WSUS.DE" and added a "Host override" in the DNS Forwarder of pfsense. My clients are on different networks with different IP addreses and they are often changing. So I added the same Host Override on both locations but depending on the location the FQDN resolves to a different IP.

    So if you change the IP of your server in future you just need to change the DNS part.

    Further with NAT you do not see which IP specific client accessed your server. You will always see the NAT IP. So if you need to find out which client did some "bad" things or has connection problems you can get the client IP in your servers logs.



  • @johnpoz:

    Hidden – its a private ip address, they are accessing it.. Its not hidden be it they use a different ip to access it or not.

    How is accessing the gateway IP simpler than say a FQDN that points to the IP of the server..  And a simple rule that allows that specific traffic?

    Would seem simpler to just change the dns record if you "move things around" ??

    Good luck - seems like more work for no reason when you could just give them a simple fqdn to use like www.local.lan

    I appreciate your suggestions and understand what you are saying and your approach would work too. I think it's about the same amount of work. Either you have to make up dns entries for each server and a rule or you make a port forward for each server.

    This is actually my first time using pfsense and I like it a lot. I know I can do the same with straight freebsd but I don't have the time to set everything up and learn how to configure it correctly. My earlier experiences has been with cisco's asa 5510 and 5505 devices but I prefer open source whenever possible. So I though I should give it a shot. If I can get about the same functionally, stability and performance out of pfsense as a basic asa 5510 box then I'm happy.

    Thanks,
    Pete


  • Rebel Alliance Global Moderator

    "I think it's about the same amount of work"

    But your making something more complicated redirection and NAT for no reason.  You have 2 rules where there needs to be only 1

    KISS - you don't know this principle?  Keep it Simple Stupid! ;)



  • @johnpoz:

    "I think it's about the same amount of work"

    But your making something more complicated redirection and NAT for no reason.  You have 2 rules where there needs to be only 1

    KISS - you don't know this principle?  Keep it Simple Stupid! ;)

    Not really true - one port forward, no rule (Filter rule association=Pass).  ;D

    But anyway, this is the setup we want and we have considered the other options as well.  ;)

    Best,
    Pete


  • Rebel Alliance Global Moderator

    Yeah it is true, it creates the rule for you - doesn't mean there is not two rules ;)

    Do with it what you will, combinations of possibilities are almost endless..  But I can tell you, you get some other engineer that finds this - and he is going to go WTF were they smokin??  ;)