1:1 NAT - pfSense outer to pfSense Inner, where Inner needs Virtual IP Alias???
-
I have three questions which are hopefully pretty basic to those who know what's they're doing with chained NAT between different pfSense boxes.
-
Does pfSense_Inner actually need for WAN to be Static IPv4, or can I set that back to DHCP and let pfSense_Outer control it with a static DHCP mapping?
-
Why did setting a Virtual IP Alias on only pfSense_Inner matter?
2a) Why was pfSense_Inner firewall log showing no traffic at all related to WebIP_Net_Internal_A before this? -
System, Advanced, Firewall/NAT, Network Address Translation: given that I'll be running web servers, mail servers, SFTP servers, etc. behind pfSense_Inner on various OPT interfaces (but all going out the WAN interface and then out pfSense_Outer's WAN interface), do any of these settings need to be checked on either or both pfSense box?
ETA: 4) Why, in the working configuration, do machines on pfSense_Inner's LAN network get a pfSense admin interface login screen when they go to WebIP_Net_Internal_A? I know external entities get the actual site, but it's very confusing.
Note that ALL networks are /24 (Class C), including the external IP block.
Net_External (WAN static, provisioned by my provider, /24 network)
pfSense_Outer
Net_Internal_A (OPT12, a tagged VLAN to a switch, /24 network)Net_Internal_A (WAN static, untagged with the switch defaulting to the correct VLAN for that port, the same /24 network)
pfSense_Inner
Net_Internal_B (OPT1, leading to a separate VMWare ESXi vSwitch, /24 network)
Web server with a static DHCP mapping on Net_Internal_B (a truly static mapping didn't change anything).On pfSense_Outer, I have a 1:1 NAT set, external IP of WebIP_Net_External, internal IP of WebIP_Net_Internal_A, and Destination IP of "any", NAT reflection "use system default". System, Advanced, Firewall/NAT, Network Address Translation: everything is Disabled/Unchecked/blank.
On pfSense_Inner, I have a 1:1 NAT set, external IP of WebIP_Net_Internal_A, internal IP of WebIP_Net_Internal_B, and Destination IP of "any", NAT reflection "use system default". System, Advanced, Firewall/NAT, Network Address Translation: everything is Disabled/Unchecked/blank.
On pfSense_Outer, I have a WAN firewall rule to allow IPv4, TCP, HTTPS from ANY to WebIP_Net_Internal_A.
On pfSense_Inner, I have a WAN firewall rule to allow IPv4, TCP, HTTPS from ANY to WebIP_Net_Internal_B.
I turned logging on for everything, reject and block and allow.
- At this point, pfSense_Outer firewall logs saw traffic from the outside world being ALLOWed to WebIP_Net_Internal_A. However, pfSense_Inner firewall logs shows nothing at all, despite an IPv4 log and block everything (* * * * * none blank) rule as the last rule.
Then on pfSense_Inner, I set up a Virtual IP Address, IP Alias, WAN interface, IP Address of WebIP_Net_Internal_A, and it started working.
I have vague recollections of showing the actual pfSense_Outer web admin interface when I set a virtual IP alias on pfSense_Outer; treat this as unconfirmed, as I may have tried that before moving to only testing from outside my network.
pfSense_Outer runs SNORT 2.9.6.0 pkg v3.0.6 on the WAN interface, and Squid 2.7.9 pkg v.4.3.3 in transparent proxy mode on everything except WAN an Loopback.
pfSense_Outer is a physical box
2.1.2-RELEASE (amd64)
built on Thu Apr 10 05:42:13 EDT 2014
FreeBSD 8.3-RELEASE-p15pfSense_Inner is a VMWare ESXi guest
2.1.2-RELEASE (amd64)
built on Thu Apr 10 05:42:18 EDT 2014
FreeBSD 8.3-RELEASE-p15 -