Why is pfSense responding to ssh, ping and all other traffic? - SOLVED
pfSense Setup for interfaces:
WAN (MAC 00:00:00:00:00:AA) - VLAN50 = 192.168.50.0/24 (Actually this is a really public /24 address in real setup)
InternalNet1 (MAC 00:00:00:00:00:BB) - VLAN60 = 10.10.60.0/24
InternalNet2 (MAC 00:00:00:00:00:CC) - VLAN70 = 10.10.70.0/24
- NOTE: I am just using these MAC address to keep this simple and easy to follow. These are not the really MAC addresses
pfSense setup for NAT
192.168.50.10 -> 10.10.60.10
192.168.50.20 -> 10.10.70.20
pfSense setup for Firewall Rules
WAN = Fully opened into both InternalNet1 and InternalNet2 with all protocols (NO RESTRICTIONS)
InternalNet1 = Fully opened for all protocols - (NO RESTRICTIONS)
InternalNet2 = Fully opened for all protocols - (NO RESTRICTIONS)
The test (Both 10.10.60.10 and 10.10.70.20 are both running fresh install of CentOS 6.4 with iptables disabled.)
1. On 10.10.70.20 I run tcpdump to monitor network communications
2. On 10.10.60.10 I run:
# ping 10.10.70.20 - This works on both servers. Meaning I see replies on 10.10.60.10 and I see the ICMP packets being received and sent on 10.10.70.20 - GREAT SO FAR
3. On 10.10.60.10 I run:
# ping 192.168.50.10 - This DOES NOT WORK FULLY - Meaning, I see the replies on 10.10.60.10, but I DO NOT see any traffic via the tcpdump running on 10.10.70.20.
NOTE: when I capture the packets on pfsense FW and show details, I see the when I run step 3 above the MAC addresses that are communicating are
MAC Address for 10.10.60.10 and InternalNet2 (00:00:00:00:00:CC)
Why is pfSense not passing traffic through to 10.10.70.20 and answering this requests? This is ALSO true for when I attempt to ssh from 10.10.60.10 to 10.10.70.20. I get the login prompt for pfsense and not the actual server?
I know this is long and complex, but this is driving my crazy.
Thank you big time for all the take the time to understand and reply.
Solved - Here is what I did and it was so simple.
For the two server, 10.10.60.10 and 10.10.70.20 I enabled NAT reflection for the 1:1 NAT. After that, I was able to ping, ssh and everything else just fine using the public IP address.