Forwarded ports on my WAN IP from my LAN/OPTx networks



  • Hello all (first post!)

    I've just got my Firebox x1250e running pfSense (2.2.6-RELEASE).
    I've managed to get all my networks in and talking, however I'm having some issues with redirecting external facing services back internally.

    I've read the pfSense guide but neither option is especially applicable: https://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks

    NAT Reflection has too much performance impact, and Split DNS doesn't take into account port numbers.
    E.g. on my old dumb router I could connect to WAN:80 and have it redirect to IP1 and WAN:8080 and redirect to IP2.

    Without every service requiring it's own unique domain name, is there any way to still achieve this please?

    Thanks.


  • LAYER 8 Netgate

    Please provide more information and specific examples such as inside IP addresses and port numbers, outside port forwards that work, etc.

    You can probably accomplish what you need with port forwards on LAN.

    This requires putting the servers you are trying to reach and the hosts trying to reach them on different interfaces, however.

    IP routing is pretty flexible, but trying to do routing tricks like NAT on same-subnet traffic generally results in frustration, because it really can't be done.



  • Thanks Derelict!

    LAN1 = 182.16.1.X/24
            ServerA = 182.16.1.10:80
            ServerB = 182.16.1.20:81
    LAN2 = 182.16.2.X/24
    WAN = 83.14.35.11/30

    WAN has a NAT rule to allow 83.14.35.11:80 to forward to 182.16.1.10:80, and another rule to allow 83.14.35.11:81 to forward to 182.16.1.20:81 - this works fine. My external domain name www.example.com routes to WAN address.

    Prior to pfsense deployment, I could do www.example.com:80 and hit server A, and www.example.com:81 and hit server B - both internally (LAN1/2) and externally.

    What I'm trying to avoid is having to define everything as ServerA.example.com, ServerB.example.com, etc.; there is sufficient information in the port number alone to make this work.

    The bit I'm struggling with is getting LAN1/2 to route as if coming from the external side of the firewall.



  • 182.16.1.0/24 is an allocated prefix for someone residing in Hong Kong, I don't think that's you?



  • @kpa:

    182.16.1.0/24 is an allocated prefix for someone residing in Hong Kong, I don't think that's you?

    You're right, it's not… it's an example range, which approximately mirrors my actual ranges.
    A little added security through obscurity.

    If you can point me in the right direction for that range, I can easily remap that onto my network.



  • Disclosing the private RFC1918 addresses used on your LAN networks is totally harmless, an outside attacker gains no advantage from knowing them. There are officially allocated "example" ranges. First one is 192.0.2.0/24 and the other two are 198.51.100.0/24 and 203.0.113.0/24.

    https://tools.ietf.org/html/rfc5737



  • @kpa:

    Disclosing the private RFC1918 addresses used on your LAN networks is totally harmless, an outside attacker gains no advantage from knowing them. There are officially allocated "example" ranges. First one is 192.0.2.0/24 and the other two are 198.51.100.0/24 and 203.0.113.0/24.

    https://tools.ietf.org/html/rfc5737

    With all due respect, I would absolutely disagree. Say someone managed to get access to one of my machines remotely; knowing the IP ranges I use immediately narrows down the list of places they need to look for other servers. Granted it's not a massive risk, as the addresses are internal, but giving out internal addresses is unnecessary in this instance.

    Please substitute 192.0.1 for 182.16.1, and 192.0.2 for 18.16.2, if that helps.



  • Anyone? I sort of need to make this work…



  • @derek_bartram:

    … managed to get access to one of my machines remotely; knowing the IP ranges I use ...

    If I already conquered your network I have no problems looking around your broadcast domain to find further targets.


  • LAYER 8 Netgate

    If you are already telling your users they need to go to :81 on the outside, split DNS will work the same from the inside.

    Generally people run into problems with split DNS when they want a bunch of different addresses all listening on :80 to go to different ports on the inside like :80 to :8080, :80 to :8081, :80 to :8082, etc.


  • LAYER 8 Global Moderator

    Dude if you don't want to post your rfc1918 space because your tin foil hat is squeezing the blood out your ears… then for gosh sake map it to some other rfc1918 space that your not using...  Because to be honest posting up some public space that is not yours and showing that as being on your lan networks makes you look like an idiot.. No offense..

    Im with Derelict, how exactly is split dns not your solution since you have stated that you don't like nat reflection..  You show your servers listening on different ports... While the one that is using the standard port can be gotten too with your typical url http://some.name.tld your other one on 81 can not, no matter what you do inside or outside you would have to attach that :81 to your url so http://someother.name.tld:81 so how exactly is split dns not work for you?

    Oh

    I could do www.example.com:80 and hit server A, and www.example.com:81 and hit server B - both internally (LAN1/2) and externally.

    Why would you do that… Why don't you just use different names??  host1.example.com, host2.example.com run a reverse proxy and send them to the correct place on your rfc1918 space on same default port 80.  Then internally resolve host1 and host2 to the respective rfc1918 IP.

    Or if you don't want to use reverse proxy then use host1.example.com and host2.example.com:81



  • NAT reflection doesn't have a significant performance impact unless you're reflecting a huge number of connections. And if you had a consumer grade router that could handle it before, you definitely aren't.


  • LAYER 8 Global Moderator

    But its still an abomination if you ask me ;)  And be it a huge performance hit doesn't change the fact that its not optimal, why send traffic through or even to my firewall/router that is just going to a box sitting next to me on my own lan..

    I can not think of a reason where someone would say, yeah nat reflection is the best way to do this.. I see it as a work around for bad design choices sure.


Log in to reply