Postrouting SNAT between LAN (green) & OPT1 (orange)



  • Hi,

    I have recently been looking for new hardware for a fanless firewall/router and have found the awesome PC Engines apu 1d4. At the same time I started looking into some new interesting firewall dist and pfsense got good reviews. What is being used today is Smoothwall that have been working fine after having to do some modifications for getting our network design to work as wanted. It resulted in some bash scrpting…

    Now when I am testing pfsense I am hoping for not having to script here as well. Always much nicer when the webconfig can help you to 100%. However, so far I have not found what I am looking for.

    My scenario looks like this:

    Some explanations might be in order:

    The firewall uses 3 interfaces: red (wan), orange (opt1), green (lan) (yes, the naming is from Smoothwall)

    The RED is the network to my ISP.

    The static ORANGE is what some seem to refer to as dmz. Here we have only server interfaces and all incoming/external traffic (http/https/ftp) is routed to this network.

    The dhcp GREEN is the safer network where all work stations are. No external traffic gets routed in here.

    The server given in the drawing above is somewhat special. It has two interfaces, one who is on the orange network and handles web traffic (MS IIS) and the other that is connected to the green for managing the server from a work station. Sure, we can talk about security risks here but for not being MIT or NSA, this setup is good enough for my proposes.

    Now (finally) to the problem:

    When a work station wants to access the server webpage (http://10.0.0.22:80) from within the green network (for example 192.168.0.109), the traffic will be routed through the router/firewall (passed to gateway since that network is not listed in the green routing table) and over to the orange network. Here the IIS will pic up the request but since it also has an interface on the green network, it will naturally pass the message straight on the green network with the source ip listed as 192.168.0.22, which the work station will see as bogus packet. This results in no webpage to be shown from within the green network.

    My solution for this problem was fairly simple but effective:
    Add a rule to the SmoothWall iptables that translates the source IP to 192.168.222.222  (source NAT). This will make the server send the response back to the gateway (10.0.0.1) where the destination IP (192.168.222.222) will be replaced with its correct IP 192.168.0.22. Problem solved.

    Here is my question: Can I create a rule for this in the web configurator or do I still have to create separate shell scripts that will run every time the machine is booted?

    I hope you understand my explanation. Please do tell if you have an alternative solution for this dilemma.

    Many thanks,
      Marcus



  • Maybe I'm missing something but, by putting a LAN interface on your DMZ server, I think you have created the routing problem - and a sizable security risk.  If your DMZ server is compromised, you have provided a convenient path to your LAN.  So much for:

    @mraxus:

    The dhcp GREEN is the safer network where all work stations are. No external traffic gets routed in here.



  • Like I said, its not the most secure setup.

    My network setup is not the question, it just illustrates the problem I want to overcome and if pfSense can do so with its configuration.



  • I have to disagree.  I think your network setup is the question.  You obviously realize that the routing problem arises because the server in the DMZ has a direct connection to the LAN and uses it - to reply to traffic it received via its firewall-connected interface.

    Is there some special reason you have a direct LAN to DMZ connection?  If not, the solution is to not have it there, not to work around the routing problems and accept security issues it creates.



  • If you really want to, you can add an outbound NAT rule on Orange with source 192.168.0.9. destination 10.0.0.22 and NAT that source IP to Orange-interface-address. If you are going to add extra NATrules, then I recommend going to pfSense 2.2-RC first-up - that has Hybrid NAT mode, which lets you keep automatic NAT rules being generated automatically, and just add extra manual rules to them.
    If there are more clients in 192.168.0 that need to access more servers in 10.0.0 then widen the Outbound NAT rule accordingly, or make it for the whole of Green to Orange.

    But if you are always accessing these server/s by their 10.0.0.* address, then why have that 192.168.0.22 at all - it is an unused interface that just causes you suffering.



  • @phil.davis:

    If you really want to, you can add an outbound NAT rule on Orange with source 192.168.0.9. destination 10.0.0.22 and NAT that source IP to Orange-interface-address. If you are going to add extra NATrules, then I recommend going to pfSense 2.2-RC first-up - that has Hybrid NAT mode, which lets you keep automatic NAT rules being generated automatically, and just add extra manual rules to them.
    If there are more clients in 192.168.0 that need to access more servers in 10.0.0 then widen the Outbound NAT rule accordingly, or make it for the whole of Green to Orange.

    But if you are always accessing these server/s by their 10.0.0.* address, then why have that 192.168.0.22 at all - it is an unused interface that just causes you suffering.

    Hey Phil.davis,

    Yes, I figured that one out too. It was a bit too easy to see that solution straight off :-)
    And great to hear about the  Hybrid NAT. That will definitely make life easier!

    Cheers!


Log in to reply