Outbound IP Differs from Inbound



  • I apologize if this is not a firewall issue but I felt it best to ask in case as I am pulling my hair out.

    We have a multiwan setup with 4 adapters and 4 blocks of IPs from our ISP; we are a hosting company. We assign each client a static IP for their websites. This all is working great inbound. I have a virtual IP mapping outside to 172.x.x.x. I also have 1:1 mappings set for each IP combination. I then have outbound LAN rules making sure the 172.?.x.x goes out the right Gateway. This all seems fine and working.. whether it is the right way… well.... no expert on this sadly.

    Anyways, here is the situation I am hitting. The client accesses their website via their public IP. The site then calls PHP ldap functions to authenticate them back to their networks AD servers. They add a rule to restrict by their static IP and this doesn't work. The IP that their firewall is seeing is the first interface IP which is bound to the server adapters main IP.

    I am unsure what I am doing wrong.. or if this is a PHP issue where it binds to the default IP on the server.

    Any help with this is much appreciated!



  • I did some extensive research and this does not not appear to be anything firewall related. It looks like PHP modules like ldap, curl, socket do not specify which adapter IP to use; they just use what they are given by the OS. cURL and Socket have the ability to specify an interface or IP but LDAP does not seem to provide this.

    I know this isn't an issue with pfSense but is there a way pfSense can help? Is there some way to see that an outbound LDAP connection to ports 389 or 636 destined for IP xxx.xxx.xxx.xxx or url a.c.com then change the public IP it leaves on?

    The reason for this is purely security. If you have 10 clients on a server using LDAP then they want to know that the IP they are allowing through the firewall is only coming from their website and IP assigned to them. If all requests happen from the main server IP then in theory if one other client site got compromised the attacker could issue ldap queries to all clients AD servers.

    I know this seems a bit anal but better safe than sorry. :)



  • Did you try adding a rule on the outbound nat page?
    Try (Manual Outbound NAT) adding a rule on the interface in question wit the source being the internal IP/32 and the NAT addressing being the public IP they are using. Move that rule before the other rules.