pfSense Support Subscription

Author Topic: 3 Problems for a newby using pfsense: NAT, Internal Access, and Internet Access  (Read 358 times)

0 Members and 1 Guest are viewing this topic.

Offline karldonteljames

  • Newbie
  • *
  • Posts: 17
  • Karma: +1/-0
    • View Profile
Afternoon everyone, I'll start with an apology for the length of the post!
I've just migrated from raqcop to pfsense, and I currently have three problems:

LAN is 192.168.10.1/24
OPT1 is 192.168.12.1/24 (known as Orange)

1) NAT from OPT1 to two LAN addresses
I've got an incoming rule that directs web traffic to the web server on opt 1, and that is forwarding and working.
My web server is running a reverse proxy that forwards traffic to two separate machines on my LAN depending on the address, e.g.
emby1.mydomain.com (URL rewrite to 192.168.10.101)
emby2.mydomain.com (URL rewrite to 192.168.10.102)
Both machines are running on the same port and ideally, I'd like to keep it that, can I create a NAT rule that allows traffic from OPT1 to two separate address on the LAN?


2) I've got no internet access from OPT1: I've created a rule for OPT1: I don't want to allow opt to any if I can help it.

3) Unable to access my network internally via its full url: e.g. blog.mydomian.com or emby.mydomain.com

When putting the web address in, I was being redirected to the pfsense menu, So I enable the option:
"Disable webConfigurator redirect rule"

Now I get nothing, this is causing me problems with some of my media systems that use the global URL. (like laptops and mobiles)

I would appreciate any help that anyone would happy to give me.

I've attached a copy of my OrangeLan Rules, and my NAT rules.
« Last Edit: December 03, 2017, 09:07:54 am by karldonteljames »

Offline karldonteljames

  • Newbie
  • *
  • Posts: 17
  • Karma: +1/-0
    • View Profile
Can anyone help at all please?

Offline karldonteljames

  • Newbie
  • *
  • Posts: 17
  • Karma: +1/-0
    • View Profile
Setting Pure NAT for NAT reflection mode sorted out the issue of not being able to access the external address internally. That is one problem (3) sorted.

Offline karldonteljames

  • Newbie
  • *
  • Posts: 17
  • Karma: +1/-0
    • View Profile
It really feels like I'm talking to myself here. lol

Using this post below, I managed to get the DMZ talking to the outside world, but blocked from the LAN or firewall.

https://forum.pfsense.org/index.php?topic=122048.0

Offline jahonix

  • Hero Member
  • *****
  • Posts: 2433
  • Karma: +145/-14
  • volunteer since 2006
    • View Profile
1) NAT from OPT1 to two LAN addresses
there is no local NAT between interfaces. Just rules.

2) I've got no internet access from OPT1: I've created a rule for OPT1
Surely with that ruleset  ;-)
Destination WAN address is exactly that: the WAN address of your pfSense. I doubt you want to sent traffic there. Same with WAN net which defines the transit network between your WAN IF and your ISP.

Here's how lots of us do it:
Since rules are processed top to bottom with "first match wins" you have to take care of the rules order.
You may want to create an alias for RFC1918 networks first.
Add a block rule to this alias preventing OPT1 to anything local (RFC1918). In your case you might want to create an allow rule to your LAN hosts on top of this block rule as well.
Then create an allow * rule for everything not local (aka internet).
You might need rules for DNS, SNTP, what-have-you as well.

3) Unable to access my network internally via its full url: e.g. blog.mydomian.com or emby.mydomain.com
You can do that with NAT reflections or you setup a split-DNS where your local DNS server points the URLs in question to the local IPs. Split-DNS is the more mature way of doing it while reflections are considered a hack by some. At least the traffic has to travers your router in and out to reach its destination which is avoided with split DNS.
Chris

The issue with IPv6 jokes is that almost no one understands them and no one is using them yet.

Offline karldonteljames

  • Newbie
  • *
  • Posts: 17
  • Karma: +1/-0
    • View Profile
Thanks Chris,

I've attached my DMZ rules and my DMZ Port forwarding. Any help on this would be appreciated.

So far as i can see, everything is working now except the split url rewrite:

emby.mydomain.com to one LAN IP
emby2.mydomain.com to Another.

Should I create a rule that allows the port from my reverse proxy server to each of the LAN servers?
« Last Edit: December 03, 2017, 06:13:19 pm by karldonteljames »

Offline karldonteljames

  • Newbie
  • *
  • Posts: 17
  • Karma: +1/-0
    • View Profile
It's crazy how just talking it out sometimes helps. These are the rules I have setup now, and I'm now able to access both my servers from different URLs running on the same port:

Is there any way I should improve the order or setup of these rules at all?

!!EDIT!! DMZ PORT FORWARDING FROM ABOVE:

I've removed all port forwarding with the exception of port 80. I assume this is much more secure?
« Last Edit: December 03, 2017, 06:13:37 pm by karldonteljames »

Offline jahonix

  • Hero Member
  • *****
  • Posts: 2433
  • Karma: +145/-14
  • volunteer since 2006
    • View Profile
I'd prefer to have the DNS rule on top of the others, basically everything to the firewall first. But that's just me.
The rest seems fine. You actually don't need the "deny DMZ net to this Firewall rule" because everything that's not allowed will be blocked automatically. Think of a hidden "block all" rule at the bottom of your rule set.

It's crazy how just talking it out sometimes helps.
Not at all, that's a known fact. Sometimes part of good teamwork.
And I prefer that you did it yourself over I just told you. You gained a lot now.

PS: That's all a shrink doctor usually does: ask a question and let you talk about it.  ;D
Chris

The issue with IPv6 jokes is that almost no one understands them and no one is using them yet.

Offline karldonteljames

  • Newbie
  • *
  • Posts: 17
  • Karma: +1/-0
    • View Profile
Thanks for your help Chris,

Does that mean I also don't need the deny DMZ to LAN?

One more question if you don't mind, rather than allowing HTTP and https to all, can I just allow it to the internet?
I've also noticed that although my DMZ machines are now showing as connected on Teamviewer, I'm unable to connect to them, do i need to open anything else inbound?

Offline jahonix

  • Hero Member
  • *****
  • Posts: 2433
  • Karma: +145/-14
  • volunteer since 2006
    • View Profile
Does that mean I also don't need the deny DMZ to LAN?
You don't need it but sometimes it's easier to understand a ruleset if such a deny rule is visibly there.
(instead of having to remember the "invisible" deny all rule at the bottom)

rather than allowing HTTP and https to all, can I just allow it to the internet?
Define "the internet" in CIDR notation. ;)

... machines are now showing as connected on Teamviewer, I'm unable to connect to them, do i need to open anything else inbound?
Are those windows machines? If so then the Windows firewall needs adjustments. It usually blocks non-local (same subnet) traffic.
Chris

The issue with IPv6 jokes is that almost no one understands them and no one is using them yet.

Offline karldonteljames

  • Newbie
  • *
  • Posts: 17
  • Karma: +1/-0
    • View Profile
Thanks Chris. I've changed the order of the rules, I think I'm going to need to look at them again as I cannot get to my backup emby server now. I assume I've screwed the ordering somehow.


rather than allowing HTTP and https to all, can I just allow it to the internet?
Define "the internet" in CIDR notation. ;)

pmsl., Let me rephrase that, can I allow http(s) through the gateway rather than to all interfaces?

... machines are now showing as connected on Teamviewer, I'm unable to connect to them, do i need to open anything else inbound?
Are those windows machines? If so then the Windows firewall needs adjustments. It usually blocks non-local (same subnet) traffic.

These were VM's that were migrated from HyperV, if they are put onto my LAN they connect without a problem.

Offline jahonix

  • Hero Member
  • *****
  • Posts: 2433
  • Karma: +145/-14
  • volunteer since 2006
    • View Profile
Define "the internet" in CIDR notation. ;)
pmsl., Let me rephrase that, can I allow http(s) through the gateway rather than to all interfaces?
Sure, it's just a matter of rule arrangement.
Gimme your educated guess first, remember what can be expressed in CIDR notation easily.

These were VM's that were migrated from HyperV, if they are put onto my LAN they connect without a problem.
Again, which OS is twisting bits there?
Chris

The issue with IPv6 jokes is that almost no one understands them and no one is using them yet.

Offline karldonteljames

  • Newbie
  • *
  • Posts: 17
  • Karma: +1/-0
    • View Profile
Thanks. Logic says to me that the source should be DMZ and the destination should be WAN net.

Sorry the VM's are server 2012 / 2016 migrated from HyperV to Unraid.

Offline jahonix

  • Hero Member
  • *****
  • Posts: 2433
  • Karma: +145/-14
  • volunteer since 2006
    • View Profile

Server2012/2016 IS a Windows machine so it WILL block traffic from other than its own subnet by default. Adjust the Windows firewalls.


Logic says to me that the source should be DMZ and the destination should be WAN net.
Same with WAN net which defines the transit network between your WAN IF and your ISP.
I still doubt you want traffic TO the transit network. TO is not THROUGH. That is not your destination.

Think out of the box:
-block traffic to 80 & 443 with destination RFC1918 (aka everything local)
-allow traffic to 80 & 443 with destination * AFTERWARDS, so both rules together make it all but local.

That's why rule order is important.
Chris

The issue with IPv6 jokes is that almost no one understands them and no one is using them yet.

Offline karldonteljames

  • Newbie
  • *
  • Posts: 17
  • Karma: +1/-0
    • View Profile
Morning Chris, I'm so lost now.  :'(
As a guess though, I think I need to change the order of the rules you mention?

I've got two other questions when we've sorted this too!

Hardware:
Currently running on:
i3-6100 @3.70Ghz
4Gb RAM
250Gb SSD
3* Intel NIC Cards (single port), 1*Onboard NIC. (one Intel Nic card currently not used)

Squid off: (Direct ISP) 180 - 210Mbps
Squid on: (Direct ISP) 5 - 12Mbps
Squid off: (VPN On) 40 - 60Mbps
Squid on: (VPN On) often unable to perform a speed test.

Any idea why this might be?

If I create say three SSID's on my Access Point and tag those with say VLAN 20,30,40 can I route the traffic from those through separate VPN connections the firewall is handling? i.e. through different providers? I assume this would be just a case of adding the tags to the interfaces (Ovpn2) and then copying the outbound NAT rules from the default connection, is that correct, or is this subject for another topic?

I really appreciate your help!

Karl