Overlapping WAN and LAN IP ranges
Apologies if this question has been covered already. I have been searching for a while and haven't found any old threads that cover this.
The LAN behind my pfSense gateway uses 10.1.x.x.
Our organization is also using 10.x.x.x addresses on the WAN for WIFI and some other purposes.
I'm using port forwarding to route SSH and other services from the WAN to various servers on the LAN.
Everything works fine, unless the IP of the source on the WAN is 10.1.x.x. E.g., WAN addresses of 10.2.x.x are forwarded fine, but any connection from 10.1.x.x addresses on the WAN simply time out.
Is there a simple solution for this?
Interestingly, I see the same behavior with a FreeBSD box using ipfw for NAT, but a CentOS server using iptables for NAT handles the forwarding from 10.1.x.x addresses just fine. It makes me wonder if this is just a difference in default behavior between BSD and Linux firewalls.
So your wondering why shit doesn't work when its coming from a 10.1 address and your trying to forward it to 10.1 address behind pfsense??
Really?? Your saying that works on linux??
Think about it for 2 seconds on something behind a NAT.. Say your wanting to talk 10.1.1.100, and your coming from 10.1.1.200.. What is 10.1.1.100 going to do with that traffic when he wants to send an answer - since his is on the 10.1.1.0/24 network… Is he going to send that back to pfsense to send on?? NO!!
If you want to do something like that, which is JUST BAD BAD BAD networking.. Why just not use 10.1.1.0/24 if that is already being used in your network!!! But if you did want to do something like that your going to have to get pfsense to NAT it when it sends to the client so that client knows where to send the traffic back (pfsense) so pfsense can send it on to where it came from..
The correct solution is to just not use the same networks in your own network.. Why are you natting inside your own network if your all using rfc1918 space anyway??
First, I highly recommend meditation for your anger issues. It's cheaper than therapy and it works…
I obviously thought about changing the IP scheme on the LAN, but that would be problematic on a busy HPC cluster. It's also pointless, because no matter what I chose for an IP scheme, I can't guarantee that overlaps won't pop up on the WAN again in the future. We're an organization of 50,000 people and I can't forbid network operations from using certain IPs.
I see no logical reason why this shouldn't work and neither do our network engineers. NAT should be able to handle this situation. The fact that it works on a Linux -based gateway confirms that, and I'm willing to bet it will work on pfSense and other BSD systems with a little tuning.
So, if anyone want to offer a civilized, constructive response, please chime in.
Approach aside, johnpoz is right on the root cause. You're probably missing at least some source NAT that the Linux system has/had. I kind of doubt Linux would work predictably or reliably in that circumstance either, but maybe would if there were no conflicting IPs. Regardless, FreeBSD isn't going to work reliably where you have the same subnet on multiple NICs.
Nobody is angry dude. Are you angry and reading that into my response and questions?
"We're an organization of 50,000 people and I can't forbid network operations from using certain IPs."
Say What??? Its call IPAM.. How can you run an org that large with no IP management? I also work for a very large company, locations all over the globe. You can not just fire up any network you want and expect shit to work.. Shit you can not even connect to a switch without it being authorized and expect to get an IP, until you auth you would be put in a holding vlan, etc. If you did fire up something and you stepped on someones IP, your going to get your peepee slapped thats for damn sure..
"and neither do our network engineers"
Your network who - clearly not engineers.. Lets go over it yet again ;)
Lets draw a picture so we are all clear.. And go back to networking 101.. And I am using /24 networks since makes no sense why you would be using /16 masks like what you were showing with your 10.1.x.x But since your obfuscating your rfc1918 space for some odd reason I am not sure what your using exactly..
So you got a wan, and off this wan you have some networks.. So when 10.1.2.100/24 wants to talk to your box on 10.1.1.100 where does he send it? You say your port forwarding, where exactly? How would the wan router know to send to pfsense? How does the wan router know where to send traffic to get to 10.1.1.100?? Your wifi is also 10.1.1/24 so he already has another network as you stated.. So you must be telling 10.1.2.100 to really go to 172.16.0.2 on pfsense wan? Ok so far so good that can work. Pfsense says hey 10.1.2.100 wants to talk ssh, ok I have a rule that says port forward ssh to 10.1.1.100.. I have that network on my lan..
So client 10.1.1.100 sends his syn,ack back destined for 10.1.2.100, pfsense says ok let me send that to the wan router at 172.16.0.1.. I will nat it so it looks like it comes from my 172.16.0.2 Wan router says hey I know how to get to 10.1.2.100 and sends that traffic on - all things working..
Lets do the same thing from 10.1.1.200 this time.. He says I want to talk to 172.16.0.2, so he sends it to his gateway.. If was trying to talk to 10.1.1.100 directly why would he even send it to his gateway??
So your pfsense says hey another guy wants to talk ssh.. I will send the syn on to 10.1.1.100 like my rule says.. So 10.1.1.100 sees this syn and says hmm 10.1.1.200 wants to talk to me.. That is my network!!, wonder what his mac is since he is on my network, arp arp… Well shit nobody answering.. Fail!!!
So if your going to want to use the same networks in your network your going to not only nat outbound like when 10.1.1.100 wants to talk to 10.1.2, so that 10.1.2 sees traffic from pfsense 172.16.0.2 address. Your also going to have to source nat stuff when your going to be sending traffic that ends up on the same network as what you sent it from.. Even if you know you need to go to 172.16.0.2 to get to that server on 10.1.1.100.. How is that server going to know how to get back Unless you you source nat it either somewhere else in your network or in pfsense.
How exactly would something on pfsense 10.1.1 network talk to that other 10.1.1.0/24 network in your wan?? Are you natting that address to something else as well?
If this is the nightmare your dealing with no wonder your angery, I really suggest you get some sort of IPAM up and running and have a dept/person that manages what sites have what networks... They can subnet them all down to whatever they want, as long as they stay in their network, etc.. Not like you need to have complete control over every IP in the org.. But you need something so people don't step on each other, and allow for everyone that wants to talk to each other to talk to each other.
If you used /16 you could have 250 some sites, all who could have 65k addresses at each site.. If you have more than 250 sites then don't give them /16 maybe give them /20 all depends on how many IPs a site might need, etc.
But dude you have to have some sort of IPAM or your going to just run into the shit your running into..
I would love to see how exactly you have this working with linux, there is no way for the same networks to talk to each other withour natting.. And not only outbound but source natting as well depending on what direction the traffic is flowing to and from, etc..
Filtering Bridge could be an option, maybe?