Need help coming from ipCop



  • Hello,
    I have a running system with ipCop 1.4 an need to change to pfSense but I am stuck.
    Can you please have a look at my problem.

    My network:
    LAN 192.168.11.0/24
    WAN connected to the router (192.168.33.0/24) from the isp

    a network from a customer which is tricky.
    192.168.1.0/24 with a server 192.168.1.81 and a router 192.168.1.2 conected to the customer server (10.49.0.181) via VPN.
    I can ping 192.168.1.81 and 10.49.0.181

    In ipCop I have the following interfaces:

    192.168.11.111 /24  (Lan)
    192.168.33.115 /24  (Wan)
    10.49.0.83 /28 (Customer)
    

    At ipCop I made the following configuration in the rc.local file to make it work:

    
    # 1.
    ifconfig eth1:0 192.168.1.1
    
    # I am not sure if I need this line
    ifconfig eth2:0 192.168.0.115
    
    # 2.
    /sbin/iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 192.168.1.1
    route add -net 10.49.0.0 netmask 255.255.255.0 gw 192.168.1.2
    

    In pfSense I assined the IPs the the interfaces.

    em0  192.168.11.110 /24  = LAN 192.168.11.0 /24
    em2 10.49.0.89 /28 = customer network 
    em3 192.168.33.251 /24 = WAN (192.168.33.0 / 24)
    

    For the 1. statement I configured an Virtual IP  192.168.1.11 / 24 on the 10.49.0.89 em2 interface which I can ping.

    I cannot
    a) ping the 192.168.1.81 server
    b) ping the 10.49.0.181 server

    The firewall log doesn't give me a clue.

    Where do I start?

    Thank you
    Markus



  • do you want to NAT or route towards that customer network? With NAT you don't need (as many) routes on either side of the vpn, but you know, its NAT ;)

    you said the customer network is a VPN, yet you configure a physical interface for it in pfsense ?



  • Hello heper,

    here is my network:

    WAN 192.168.33.0 /24 –--------- 192.168.33.251  pfSense Hardware
                                                                                      |              |
                                                                                      |              |
    LAN1 192.168.11.0 /24 --------------192.168.11.110 pfSense      192.168.1.11 pfSense ----- LAN 2 192.168.1.0 /24
                                                                                                                                              |
                                                                                                                                              |
                                                                                                                    192.168.1.81 server customer
                                                                                                                    192.168.1.2 router customer ----- VPN ----- customer
                                                                                                                                                                                          |
                                                                                                                                                                                server 10.49.0.181

    The first step for me is to be able to ping the 192.168.1.81 server and the 192.168.1.2 router.
    The second step would be to set up VLAN to reach the server 10.49.0.181 at the customer side through VPN

    I cannot configure the server or router of the customer but I can ask the admin to do stuff.

    Do I have to NAT since the 192.168.1.81 server doens't probably know my LAN 1?
    If yes which NAT kind do I use?
    Is the problem that the 192.168.1.81 uses probably the 192.168.1.2 as default GW?

    Thank you
    Markus



  • Hello.

    @mark99:

    Is the problem that the 192.168.1.81 uses probably the 192.168.1.2 as default GW?

    I think so. I'd prefer to add a route to 192.168.1.81 to direct traffic to 192.168.11.0 /24 to pfSense LAN2. Or add such a route to the customer router, this should resolve both issues.

    If you want to resolve it by NAT add an outbound NAT rule:
    interface: LAN2
    source: any or what meets your needs
    destination: any or 192.168.1.81
    translation: interface address

    If it's practicable to you to set destination to any in this rule, this should also resolve the access issue to 10.49.0.181, otherwise add an additional NAT rule for it or use an alias including this two destination addresses.



  • Hello viragomann,

    that was it  :D :D :D :D :D

    Thank you so much.
    It was the NAT

    Markus



  • Well, fine. But consider, that NAT has a disadvantage: on the destination host you access over NAT you don't see the real source address, accesses always come from pfSense LAN2 address. If this behavior doesn't matter for your purposes, it's be okay. Otherwise routing is the better solution.



  • Hello viragomann,

    how would I route this if every client from 192.168.11.0/24 has to be able to access the server 192.168.1.81?
    The pfsense interface has the IP 192.168.1.3

    What is the disadvantage from NAT vs routing?

    Markus



  • For routing a static route at 192.168.1.81 will be needed for 192.168.11.0/24 to direct it to 192.168.1.3.
    If you want to access more hosts in the customers subnet you may also add this route on the customers router (if it is the default gateway in its subnet).

    But for accessing 10.49.0.181 over VPN there would be an additional static route necessary on this server, directing 192.168.11.0/24 to the vpn servers address.



  • Hello viragomann,

    ok I start to understand the procedure.

    Am I right with this:

    since my pfSense (192.168.1.3) is not the default GW for the customer Server (192.168.1.81) and my LAN is 192.168.11.0/24.

    NAT works find but with routing don't I have to tell the server 192.168.1.81 how to reach my LAN?

    Can this be done at my pfSense?

    Or has this to be done at the server or the router (default GW) of the 192.168.1.0/24 net which ist the router of the customer which I cannot access?

    Markus



  • Hello,

    basically each host in the network communicates with other hosts in it's own subnet directly. But if a host want to address another one in a different subnet or network segment it sends the packets to the default gateway, which has to be defined in the network settings.

    The NAT rule you've added to pfSense translates source addresses of the IP packets to the pfSense LAN2 address 192.168.1.3, which is a member of same subnet as 192.168.1.81. So response packets from the server are sent back to pfSense LAN2 and pfSense translate its destination address back to its original IP.

    Now, it you don't want NAT you can add add static route to the server to let him know, packets addressed to the 192.168.11.0/24 subnet have to be directed to 192.168.1.3. So packets to the server retain their original source address when they enter the 192.168.1.0/24 subnet and the server 192.168.1.81 sends his responses to pfSense LAN2 interface, which forwards it to in the destination subnet.
    It should work also if this static route is added to the default gateway of 192.168.1.0/24, cause the host direct packets to this if its destination subnet is unknown and the gateway will redirect it to pfSense. But you can't do this routing at pfSense.

    If there are only few numbers of hosts in each subnet, you can do 1:1 NAT as a workaround on pfSense to differ source addresses on the destination host. But that's dodgy if you don't control both subnets.



  • Hello,

    so I go with NAT because I cannot control the GW in the 192.168.1.0/24 net.

    Thank you for your help. You saved me quite some time  :D :D

    Markus