1:1 NAT - pfSense outer to pfSense Inner, where Inner needs Virtual IP Alias???



  • I have three questions which are hopefully pretty basic to those who know what's they're doing with chained NAT between different pfSense boxes.

    1. Does pfSense_Inner actually need for WAN to be Static IPv4, or can I set that back to DHCP and let pfSense_Outer control it with a static DHCP mapping?

    2. Why did setting a Virtual IP Alias on only pfSense_Inner matter?
        2a) Why was pfSense_Inner firewall log showing no traffic at all related to WebIP_Net_Internal_A before this?

    3. System, Advanced, Firewall/NAT, Network Address Translation: given that I'll be running web servers, mail servers, SFTP servers, etc. behind pfSense_Inner on various OPT interfaces (but all going out the WAN interface and then out pfSense_Outer's WAN interface), do any of these settings need to be checked on either or both pfSense box?

    ETA: 4) Why, in the working configuration, do machines on pfSense_Inner's LAN network get a pfSense admin interface login screen when they go to WebIP_Net_Internal_A?  I know external entities get the actual site, but it's very confusing.

    Note that ALL networks are /24 (Class C), including the external IP block.

    Net_External (WAN static, provisioned by my provider, /24 network)
    pfSense_Outer
        Net_Internal_A (OPT12, a tagged VLAN to a switch, /24 network)

    Net_Internal_A (WAN static, untagged with the switch defaulting to the correct VLAN for that port, the same /24 network)
    pfSense_Inner
      Net_Internal_B (OPT1, leading to a separate VMWare ESXi vSwitch, /24 network)
      Web server with a static DHCP mapping on Net_Internal_B (a truly static mapping didn't change anything).

    On pfSense_Outer, I have a 1:1 NAT set, external IP of WebIP_Net_External, internal IP of WebIP_Net_Internal_A, and Destination IP of "any", NAT reflection "use system default".  System, Advanced, Firewall/NAT, Network Address Translation: everything is Disabled/Unchecked/blank.

    On pfSense_Inner, I have a 1:1 NAT set, external IP of WebIP_Net_Internal_A, internal IP of WebIP_Net_Internal_B, and Destination IP of "any", NAT reflection "use system default".  System, Advanced, Firewall/NAT, Network Address Translation: everything is Disabled/Unchecked/blank.

    On pfSense_Outer, I have a WAN firewall rule to allow IPv4, TCP, HTTPS from ANY to WebIP_Net_Internal_A.

    On pfSense_Inner, I have a WAN firewall rule to allow IPv4, TCP, HTTPS from ANY to WebIP_Net_Internal_B.

    I turned logging on for everything, reject and block and allow.


    1. At this point, pfSense_Outer firewall logs saw traffic from the outside world being ALLOWed to WebIP_Net_Internal_A.  However, pfSense_Inner firewall logs shows nothing at all, despite an IPv4 log and block everything (* * * * * none blank) rule as the last rule.

    Then on pfSense_Inner, I set up a Virtual IP Address, IP Alias, WAN interface, IP Address of WebIP_Net_Internal_A, and it started working.

    I have vague recollections of showing the actual pfSense_Outer web admin interface when I set a virtual IP alias on pfSense_Outer; treat this as unconfirmed, as I may have tried that before moving to only testing from outside my network.

    pfSense_Outer runs SNORT 2.9.6.0 pkg v3.0.6 on the WAN interface, and Squid 2.7.9 pkg v.4.3.3 in transparent proxy mode on everything except WAN an Loopback.

    pfSense_Outer is a physical box
    2.1.2-RELEASE (amd64)
    built on Thu Apr 10 05:42:13 EDT 2014
    FreeBSD 8.3-RELEASE-p15

    pfSense_Inner is a VMWare ESXi guest
    2.1.2-RELEASE (amd64)
    built on Thu Apr 10 05:42:18 EDT 2014
    FreeBSD 8.3-RELEASE-p15