I've got a /28 and 3x /24 the latter of which I want to map
1:1 to private address space (e.g. each /24 to 10.0.x.0/24).
My pfSense version is 2.1-DEVELOPMENT (i386)
built on Fri Oct 21 12:51:56 EDT 2011
I've got a setup where hosts and firewalls look like this
WAN LAN
switch1 - fw1 - switch2
| - fw2 - |
| - ho1 - |
| - ... - |
The hosts have two NICs (for WAN and LAN) and have currently
virtual guests bound the WAN interface, thus bypassing the
firewalls. I now want to renumber the guests to private
address space, and let the firewall deal with network
mapping and traffic filtering.
The lan switch is managed, and is assigned an address
10.0.0.x via fw1 DHCP.
I've defined VIPs (type Proxy ARP, matching one public /24)
and created a Firewall NAT 1:1 mapping as well as firewall
rules to pass the relevant traffic. I've disabled the
WAN switch port (by putting it on an unreachable VLAN)
so that virtual guests bound to the same /24 are out of
the loop for testing. I have not disabled any
other hosts on the switch.
Now the strange thing is that I can see the switch IP via
the external mapped IP (two of them, in fact), but nothing
else (but the gateway). nmap from within the network sees
the other IPs fine.
This makes absolutely no sense. There must be something simple
I'm missing. Any idea how to debug this? Thanks!
My rules look like this:
#System aliases
loopback = "{ lo0 }"
LAN = "{ igb0 }"
WAN = "{ em0 }"
OPT1 = "{ igb1 }"
#SSH Lockout Table
table <sshlockout> persist
table <webConfiguratorlockout> persist
#Snort tables
table <snort2c>
table <virusprot>
# User Aliases
# Gateways
GWGW_WAN = " route-to ( em0 88.198.239.113 ) "
GWWANGWv6 = " route-to ( em0 2a01:4f8:7d:300::1 ) "
set loginterface igb0
set optimization normal
set limit states 299000
set limit src-nodes 299000
set skip on pfsync0
scrub in on $LAN all fragment reassemble
scrub in on $WAN all fragment reassemble
scrub in on $OPT1 all fragment reassemble
no nat proto carp
no rdr proto carp
nat-anchor "natearly/*"
nat-anchor "natrules/*"
binat on em0 from 10.0.0.0/24 to any -> 88.198.222.0/24
binat on em0 from 10.0.0.20 to any -> 88.198.239.118
# Outbound NAT rules
nat on $WAN from 10.0.0.0/24 to any port 500 -> 88.198.239.114/32 static-port
nat on $WAN from 10.0.0.0/24 to any -> 88.198.239.114/32 port 1024:65535
nat on $WAN from 127.0.0.0/8 to any -> 88.198.239.114/32 port 1024:65535
nat on $WAN from 172.16.1.0/24 to any port 500 -> 88.198.239.114/32
static-port
nat on $WAN from 172.16.1.0/24 to any -> 88.198.239.114/32 port 1024:65535
nat on $WAN from 127.0.0.0/8 to any -> 88.198.239.114/32 port 1024:65535
# Load balancing anchor
rdr-anchor "relayd/*"
# TFTP proxy
rdr-anchor "tftp-proxy/*"
table <negate_networks> { 10.0.0.0/24 88.198.239.112/28 172.16.1.0/24 }
# UPnPd rdr anchor
rdr-anchor "miniupnpd"
anchor "relayd/*"
#---------------------------------------------------------------------------
# default deny rules
#---------------------------------------------------------------------------
block in log inet all label "Default deny rule IPv4"
block out log inet all label "Default deny rule IPv4"
block in log inet6 all label "Default deny rule IPv6"
block out log inet6 all label "Default deny rule IPv6"
# IPv6 ICMP is not auxilary, it is required for operation
# See man icmp6(4)
# 1 unreach Destination unreachable
# 2 toobig Packet too big
# 128 echoreq Echo service request
# 129 echorep Echo service reply
# 133 routersol Router solicitation
# 134 routeradv Router advertisement
# 135 neighbrsol Neighbor solicitation
# 136 neighbradv Neighbor advertisement
pass quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} keep
state
# Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep)
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type
{128,133,134,135,136} keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type
{128,133,134,135,136} keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type
{129,133,134,135,136} keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type
{129,133,134,135,136} keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type
{129,133,134,135,136} keep state
# We use the mighty pf, we cannot be fooled.
block quick inet proto { tcp, udp } from any port = 0 to any
block quick inet proto { tcp, udp } from any to any port = 0
block quick inet6 proto { tcp, udp } from any port = 0 to any
block quick inet6 proto { tcp, udp } from any to any port = 0
# Snort package
block quick from <snort2c> to any label "Block snort2c hosts"
block quick from any to <snort2c> label "Block snort2c hosts"
block in log quick proto carp from (self) to any
pass quick proto carp
pass quick proto pfsync
# SSH lockout
block in log quick proto tcp from <sshlockout> to any port 22 label "sshlockout"
# webConfigurator lockout
block in log quick proto tcp from <webConfiguratorlockout> to any port 80 label
"webConfiguratorlockout"
block in quick from <virusprot> to any label "virusprot overload table"
antispoof for igb0
# allow access to DHCP server on LAN
pass in on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label
"allow access to DHCP server"
pass in on $LAN proto udp from any port = 68 to 10.0.0.1 port = 67 label "allow
access to DHCP server"
pass out on $LAN proto udp from 10.0.0.1 port = 67 to any port = 68 label
"allow access to DHCP server"
table <bogons> persist file "/etc/bogons"
table <bogonsv6> persist file "/etc/bogonsv6"
# block bogon networks
# http://www.cymru.com/Documents/bogon-bn-nonagg.txt
# http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt
block in log quick on $WAN from <bogons> to any label "block bogon IPv4
networks from WAN"
block in log quick on $WAN from <bogonsv6> to any label "block bogon IPv6
networks from WAN"
antispoof for em0
# block anything from private networks on interfaces with the option set
antispoof for $WAN
block in log quick on $WAN from 10.0.0.0/8 to any label "Block private networks
from WAN block 10/8"
block in log quick on $WAN from 127.0.0.0/8 to any label "Block private
networks from WAN block 127/8"
block in log quick on $WAN from 172.16.0.0/12 to any label "Block private
networks from WAN block 172.16/12"
block in log quick on $WAN from 192.168.0.0/16 to any label "Block private
networks from WAN block 192.168/16"
block in log quick on $WAN from fc00::/7 to any label "Block ULA networks from
WAN block fc00::/7"
antispoof for igb1
# loopback
pass in on $loopback inet all label "pass IPv4 loopback"
pass out on $loopback inet all label "pass IPv4 loopback"
pass in on $loopback inet6 all label "pass IPv6 loopback"
pass out on $loopback inet6 all label "pass IPv6 loopback"
# let out anything from the firewall host itself and decrypted IPsec traffic
pass out inet all keep state allow-opts label "let out anything IPv4 from
firewall host itself"
pass out inet6 all keep state allow-opts label "let out anything IPv6 from
firewall host itself"
pass out route-to ( em0 88.198.239.113 ) from 88.198.239.114 to
!88.198.239.112/28 keep state allow-opts label "let out anything from firewall
host itself"
pass out route-to ( em0 2a01:4f8:7d:300::1 ) inet6 from 2a01:4f8:7d:300::2 to
!2a01:4f8:7d:300:0:0:0:0/56 keep state allow-opts label "let out anything from
firewall host itself"
# make sure the user cannot lock himself out of the webConfigurator or SSH
pass in quick on igb0 proto tcp from any to (igb0) port { 80 22 } keep state
label "anti-lockout rule"
# User-defined rules follow
anchor "userrules/*"
pass in quick on $WAN reply-to ( em0 88.198.239.113 ) proto icmp from any
to any keep state label "USER_RULE: allow ICMP ping from WAN"
pass in quick on $WAN reply-to ( em0 2a01:4f8:7d:300::1 ) inet6 proto
ipv6-icmp from any to any keep state label "USER_RULE: allow IPv6 ICMP ping
from WAN"
pass in quick on $WAN reply-to ( em0 88.198.239.113 ) proto tcp from any
to 88.198.239.114 port 22 flags S/SA keep state label "USER_RULE: allow SSH
administration on WAN"
pass in quick on $WAN reply-to ( em0 88.198.239.113 ) proto tcp from any
to 88.198.239.114 port 80 flags S/SA keep state label "USER_RULE: allow HTTP
administration on WAN"
pass in quick on $WAN reply-to ( em0 88.198.239.113 ) proto tcp from any
to 88.198.239.114 port 443 flags S/SA keep state label "USER_RULE: allow
HTTPS administration on WAN"
pass in quick on $WAN reply-to ( em0 88.198.239.113 ) inet proto { tcp udp }
from any to 88.198.239.118 port 80 keep state label "USER_RULE: NAT "
pass in quick on $WAN reply-to ( em0 88.198.239.113 ) inet proto { tcp udp }
from any to 88.198.222.0/24 keep state label "USER_RULE: NAT "
pass in quick on $WAN reply-to ( em0 88.198.239.113 ) inet proto { tcp udp }
from any to 10.0.0.20 keep state label "USER_RULE"
pass in quick on $WAN reply-to ( em0 88.198.239.113 ) inet proto { tcp udp }
from any to 10.0.0.2 keep state label "USER_RULE"
pass in quick on $WAN reply-to ( em0 88.198.239.113 ) inet proto { tcp udp }
from any to 10.0.0.3 keep state label "USER_RULE"
pass in quick on $OPT1 from any to any keep state label "USER_RULE"
# VPN Rules
anchor "tftp-proxy/*"
_______________________________________________
List mailing list
[email protected]
http://lists.pfsense.org/mailman/listinfo/list
