Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Postrouting SNAT between LAN (green) & OPT1 (orange)

    Scheduled Pinned Locked Moved NAT
    6 Posts 3 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mraxus
      last edited by

      Hi,

      I have recently been looking for new hardware for a fanless firewall/router and have found the awesome PC Engines apu 1d4. At the same time I started looking into some new interesting firewall dist and pfsense got good reviews. What is being used today is Smoothwall that have been working fine after having to do some modifications for getting our network design to work as wanted. It resulted in some bash scrpting…

      Now when I am testing pfsense I am hoping for not having to script here as well. Always much nicer when the webconfig can help you to 100%. However, so far I have not found what I am looking for.

      My scenario looks like this:

      Some explanations might be in order:

      The firewall uses 3 interfaces: red (wan), orange (opt1), green (lan) (yes, the naming is from Smoothwall)

      The RED is the network to my ISP.

      The static ORANGE is what some seem to refer to as dmz. Here we have only server interfaces and all incoming/external traffic (http/https/ftp) is routed to this network.

      The dhcp GREEN is the safer network where all work stations are. No external traffic gets routed in here.

      The server given in the drawing above is somewhat special. It has two interfaces, one who is on the orange network and handles web traffic (MS IIS) and the other that is connected to the green for managing the server from a work station. Sure, we can talk about security risks here but for not being MIT or NSA, this setup is good enough for my proposes.

      Now (finally) to the problem:

      When a work station wants to access the server webpage (http://10.0.0.22:80) from within the green network (for example 192.168.0.109), the traffic will be routed through the router/firewall (passed to gateway since that network is not listed in the green routing table) and over to the orange network. Here the IIS will pic up the request but since it also has an interface on the green network, it will naturally pass the message straight on the green network with the source ip listed as 192.168.0.22, which the work station will see as bogus packet. This results in no webpage to be shown from within the green network.

      My solution for this problem was fairly simple but effective:
      Add a rule to the SmoothWall iptables that translates the source IP to 192.168.222.222  (source NAT). This will make the server send the response back to the gateway (10.0.0.1) where the destination IP (192.168.222.222) will be replaced with its correct IP 192.168.0.22. Problem solved.

      Here is my question: Can I create a rule for this in the web configurator or do I still have to create separate shell scripts that will run every time the machine is booted?

      I hope you understand my explanation. Please do tell if you have an alternative solution for this dilemma.

      Many thanks,
        Marcus

      1 Reply Last reply Reply Quote 0
      • B
        biggsy
        last edited by

        Maybe I'm missing something but, by putting a LAN interface on your DMZ server, I think you have created the routing problem - and a sizable security risk.  If your DMZ server is compromised, you have provided a convenient path to your LAN.  So much for:

        @mraxus:

        The dhcp GREEN is the safer network where all work stations are. No external traffic gets routed in here.

        1 Reply Last reply Reply Quote 0
        • M
          mraxus
          last edited by

          Like I said, its not the most secure setup.

          My network setup is not the question, it just illustrates the problem I want to overcome and if pfSense can do so with its configuration.

          1 Reply Last reply Reply Quote 0
          • B
            biggsy
            last edited by

            I have to disagree.  I think your network setup is the question.  You obviously realize that the routing problem arises because the server in the DMZ has a direct connection to the LAN and uses it - to reply to traffic it received via its firewall-connected interface.

            Is there some special reason you have a direct LAN to DMZ connection?  If not, the solution is to not have it there, not to work around the routing problems and accept security issues it creates.

            1 Reply Last reply Reply Quote 0
            • P
              phil.davis
              last edited by

              If you really want to, you can add an outbound NAT rule on Orange with source 192.168.0.9. destination 10.0.0.22 and NAT that source IP to Orange-interface-address. If you are going to add extra NATrules, then I recommend going to pfSense 2.2-RC first-up - that has Hybrid NAT mode, which lets you keep automatic NAT rules being generated automatically, and just add extra manual rules to them.
              If there are more clients in 192.168.0 that need to access more servers in 10.0.0 then widen the Outbound NAT rule accordingly, or make it for the whole of Green to Orange.

              But if you are always accessing these server/s by their 10.0.0.* address, then why have that 192.168.0.22 at all - it is an unused interface that just causes you suffering.

              As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
              If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

              1 Reply Last reply Reply Quote 0
              • M
                mraxus
                last edited by

                @phil.davis:

                If you really want to, you can add an outbound NAT rule on Orange with source 192.168.0.9. destination 10.0.0.22 and NAT that source IP to Orange-interface-address. If you are going to add extra NATrules, then I recommend going to pfSense 2.2-RC first-up - that has Hybrid NAT mode, which lets you keep automatic NAT rules being generated automatically, and just add extra manual rules to them.
                If there are more clients in 192.168.0 that need to access more servers in 10.0.0 then widen the Outbound NAT rule accordingly, or make it for the whole of Green to Orange.

                But if you are always accessing these server/s by their 10.0.0.* address, then why have that 192.168.0.22 at all - it is an unused interface that just causes you suffering.

                Hey Phil.davis,

                Yes, I figured that one out too. It was a bit too easy to see that solution straight off :-)
                And great to hear about the  Hybrid NAT. That will definitely make life easier!

                Cheers!

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.