0

I have a PFSense box, with several hosts on its LAN. On the WAN side is a series of switches and routers. External hosts use a specific IP address (we'll call it 1.2.3.4) which is forwarded through several layers to the PFSense box, which then port forwards it to a host INSIDE the PFSense LAN network (let's call it 192.168.1.2).

On the distant network, everyone can use 1.2.3.4 to connect to that host and it all works fine. However, on the internal side, they have to remember to use a different address (192.168.1.2).

We want to have a way for the 1.2.3.4 address to work both outside AND inside the PFSense network. However, we do not want to change the internal 192.168.1.0/24 subnet. It's not as simple as NAT reflection, though, because the WAN address of the PFSense box is NOT 1.2.3.4 but rather an arbitrary IP assigned by the next layer. The 1.2.3.0/24 network is several routers away. I've tried multiple configurations of port forwarding, NAT, firewall rules, etc. all without success.

What I want to do is intercept all traffic bound for 1.2.3.4 at the PFSense router and have it sent to 192.168.1.2 instead. Bonus points if the traffic doesn't actually have to go through PFSense but is instead routed by the switch to avoid bandwidth bottlenecks (maybe some combination of DHCP/ARP could accomplish this).

Is this possible, and what's the best way to achieve it?

Diagram

┌──────────────────────┐           ╔══════════════════╗        
│ Server (192.168.1.2) │           ║     Client 2     ║        
└──────────────────────┘           ║    (Internal)    ║        
            │                      ║ Uses 192.168.1.2 ║        
            │                      ║SHOULD use 1.2.3.4║        
            │                      ╚══════════════════╝        
            │                                │                 
            ├────────────────────────────────┘                 
            │                                                  
┌──────────────────────┐                                       
│    PFSense Router    │                                       
│                      │                                       
│ LAN: 192.168.1.1/24  │                                       
│   WAN: 192.168.2.2   │                                       
│ Virtual: 192.168.2.4 │                                       
└──────────────────────┘                                       
            │                                                  
            │                                                  
            │                                                  
 ┌────────────────────┐                                        
 │    Router (NAT)    │           This router transparently    
 │                    │         converts incoming WAN traffic  
 │LAN: 192.168.2.1/24 │◀──────    bound for 1.2.3.X to the     
 │  WAN: 1.2.3.1/24   │        equivalent 192.168.2.X address. 
 └────────────────────┘                                        
            │                                                  
            │                                                  
            │                                                  
    ╔══════════════╗                                           
    ║   Client 1   ║                                           
    ║  (External)  ║                                           
    ║ Uses 1.2.3.4 ║                                           
    ╚══════════════╝

To clarify, for external clients, the sequence is as follows:

  1. Access 1.2.3.4
  2. NAT router converts to 192.168.2.4
  3. PFSense router receives traffic at 192.168.2.4 and maps internally to 192.168.1.2
Whimsical Seaplane
  • 135
  • 2
  • 2
  • 8
  • This honestly sounds like a job for a VPN instead of routing through layers that you should maybe be naming more clearly. Maybe come up with some more distinct numbers and define the layers you describe with more clarity, and we can come to a solution – Dmitri DB Mar 08 '17 at 23:44
  • To be honest we have zero control over anything outside the PFSense box. We were told 1.2.3.4 on certain ports would be routed to the PFSense WAN address, and that's it. We also can't use VPN for various reasons. – Whimsical Seaplane Mar 08 '17 at 23:55
  • I think a diagram would help, as this seems a little complex. Devices, models and ip's (obfuscated) Just out curiosity, is a split horizon DNS, applicable ? – Linuxx Mar 09 '17 at 01:03
  • Also, are the clients using DNS to access this ip? PFsense has some real awesome DNS tricks up its sleeve. – Linuxx Mar 09 '17 at 01:14
  • @Linuxx I added a diagram. DNS is out of the question since on the "outer" network, we have zero control and it is not a public network, thus we cannot create a DNS entry. (Otherwise yes, I agree, it would be easy.). We also do not have any control over the second NAT router; it just converts inbound addresses on our behalf. – Whimsical Seaplane Mar 23 '17 at 23:37

3 Answers3

3

The only way I know how to do this is with NAT. You will have to specify the ports that you will be using. I just tested this on PFsense 2.3.2.

  1. Create a NAT rule
  2. Specify destination as Single Host or Alias: 1.2.3.4
  3. Port needs to be the port that you intend to use (From and To)(Tested with 80)
  4. Redirect target ip needs to be 192.168.1.2
  5. Redirect target port cant be "any", so you need to specify the port from above
  6. NAT reflection needs to be "Enable (Pure NAT)" <-IMPORTANT!!!!

If you have an application that needs several ports, you will have to specify every port.

Hope this helps!

enter image description here enter image description here

Linuxx
  • 1,189
  • 8
  • 7
  • It's still not able to connect. The firewall states has a connection from the client to the host (and Original Destination is set). State is `CLOSED:SYN_SENT` but the client never receives a response. – Whimsical Seaplane Mar 24 '17 at 21:11
  • Not sure your issue. Mine didn't work until i set the NAT reflection. Tested with different ports. – Linuxx Mar 24 '17 at 22:11
  • @WhimsicalSeaplane Added screenshots. Works when directing my browser to http://1.2.3.4 (points to dev box on internal IP). Perhaps its your version of PFsense? I have had bugs cleanup by just upgrading. – Linuxx Mar 24 '17 at 22:27
  • That's exactly the same settings I'm using. The only thing I think may be an issue is the gateway. I think the traffic from the server back to the client may be going out through our VPN. https://i.imgur.com/VaniXD6.png In that screenshot, the final 2 rules direct traffic out through a VPN connection. When the client is outside, the return traffic goes through the two firewalls back to the client, but this isn't happening for internal clients. (All traffic on the 192.168.1.0/24 net does successfully reach LAN hosts, just not when it goes through the NAT forward.) – Whimsical Seaplane Mar 24 '17 at 23:11
  • You have a very messy web of configuration that isn't easily troubleshoot through a Server Fault thread. It would take a while to just dig through the configuration, let alone find a solution. There are just too many variables. In most situations my solution works. My advise for you (long term) is to simplify your environment. Re-IP if required. GL! – Linuxx Mar 24 '17 at 23:19
  • Everything outside of the PFsense router is completely out of our control, and the VPN is absolutely necessary, so it's not really possible to simplify. In fact, we'll be adding several VLANs soon (one is already set up for testing, and it works perfectly). Really, the only thing that doesn't work is the loopback connection. I *could* cheat and set up our internal network to match the outside network's IP range (in fact I tested it and it works) but that's bad for a lot of other reasons... :D – Whimsical Seaplane Mar 24 '17 at 23:48
0

There is a reverse proxy package you can install. Try using reverse proxy to channel the two nets.

John
  • 1
0

For one of my ideas I made simiral network.

I have few WAN IPs in /24 space and internal network. WAN IPs: 1.2.3.2 & 1.2.3.3 WAN interface IP 1.2.3.2/24 DefGW: 1.2.3.1 On pfSense router under routing I add gateway 192.168.1.2 on interface LAN. Than added static route 1.2.3.3 -> 192.168.1.2. On WAN interface allow trafic to 1.2.3.3 IP address. Add Virtual IP of type ProxyARP and 1.2.3.3/32. In my case ProxyARP because IPs are assigned statically and hosting provider does not have entris to route traffic to specific MAC or DHCP server. On LAN interface add rule that source IP 1.2.3.3 is allowed to WAN. On LAN interface I run DHCP and LAN IPs are added in static lease. I plan to run DHCP with static routes for multiple gateways (other severs on same LAN). DHCP option 33 (Single address) and DHCP option 121/(249 on older Windows) (network). If I am honest I did not test it with DHCP and I am not shure if it is working properly. But it is an idea in test list.

On client side alias IP need to be added with ip address 1.2.3.3/32. And if you want this IP to be threated as public, it must be set as default outgoing IP address.

Optionally on pfSense it can be set that traffic from LAN is allowed only in internal networking.

I set this network because I want servers in internal network and than route traffic to them over private network to servers (maybe easier configuration of routing and because it can be done so). And if server does not require direct public IPv4 address we can save some of them.

Is this goog idea? I do not know :-) 

┌──────────────────────┐                                       
│    PFSense Router    │                                       
│                      │                                       
│ WAN: 1.2.3.2/24      │                                       
│ DefGW: 1.2.3.1       │
│ Virtual: 1.2.3.3     │                                       
│ LAN: 192.168.1.1/24  │                                       
└──────────────────────┘  
           | LAN
┌──────────────────────┐                                       
│       Server 1       │                                       
│                      │                                       
│ LAN: 192.168.1.2/24  │                                       
│ DefGw: 192.168.1.1   │
│ Alias: 1.2.3.3/32    │                                     
└──────────────────────┘
Robi Maren
  • 1