Re: [pfSense Support] 1:1 NAT - bind actual external IP to an optional interface?
- Original Message - From: Chris Buechler cbuech...@gmail.com To: support@pfsense.com Sent: Saturday, January 09, 2010 12:24 AM Subject: Re: [pfSense Support] 1:1 NAT - bind actual external IP to an optional interface? On Fri, Jan 8, 2010 at 5:27 PM, Karl Fife karlf...@gmail.com wrote: That's preciesely right. Inside: LAN, Outside: WAN. Is that the right setting for the shaper in this bridged configuration? (And again OPT2 is bridged to WAN, OPT1 is currently idle, Soekris 5501) Because of the limitations of the shaper in 1.2.x you'll end up with unusual results for anything other than the defined inside and outside interfaces. Pre-2.0 there isn't a way to effectively shape in that scenario. I see. I was hopeful about the 1.2.3 shaper when I noticed not compatible with bridging message (present in 1.2.2) had been removed. Is the 2.0 beta available for embedded? Thanks -Karl - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 1:1 NAT - bind actual external IP to an optional interface?
On Sat, Jan 9, 2010 at 1:17 PM, Karl Fife karlf...@gmail.com wrote: I see. I was hopeful about the 1.2.3 shaper when I noticed not compatible with bridging message (present in 1.2.2) had been removed. That was never true actually (AFAIK, at least not in 1.2, 1.2.1 and 1.2.2, not completely sure on prior to that), I did nothing but remove that text, it does work properly with bridging. Is the 2.0 beta available for embedded? Yes but: http://forum.pfsense.org/index.php/topic,21606.0.html - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 1:1 NAT - bind actual external IP to an optional interface?
On Sat, Jan 9, 2010 at 5:39 PM, Chris Buechler cbuech...@gmail.com wrote: Yes but: http://forum.pfsense.org/index.php/topic,21606.0.html That and the fact that our snapshot server is up and down (currently DOWN) due to bad hardware. It will be swapped out in the next coming days. Scott - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 1:1 NAT - bind actual external IP to an optional interface?
On Sat, Jan 9, 2010 at 8:47 PM, Scott Ullrich sullr...@gmail.com wrote: On Sat, Jan 9, 2010 at 5:39 PM, Chris Buechler cbuech...@gmail.com wrote: Yes but: http://forum.pfsense.org/index.php/topic,21606.0.html That and the fact that our snapshot server is up and down (currently DOWN) due to bad hardware. It will be swapped out in the next coming days. There is a mirror here that syncs hourly (when the primary is up and building snapshots). http://files.chi.pfsense.org/snapshots/ - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 1:1 NAT - bind actual external IP to an optional interface?
On Wed, Jan 6, 2010 at 1:26 PM, Karl Fife karlf...@gmail.com wrote: Thanks for the ideas! It's working with the exception of a traffic shaping problem. What I did to set this up is 1. Bridged the OPT interface with WAN, leaving all other fields blank 2. Created a rule on the tab of the OPT interface to 'pass' 'any' protocol 3. Attached the host to the OPT interface, and assigned the appropriate IP info. I notice that my upstream traffic is shaped (as expected) but that the downstream traffic is not (unexpected). This presents a problem for VoIP (although serendipitously it's the more sensitive upstream shaping that IS working at the moment). My first thought was oh yeah--DUH, the shaping queues are in layer 3, bridging happens in layer 2, but then It occurred to me that the upstream traffic IS actually being shaped. Confused again. From: Chris Buechler cbuech...@gmail.com To: support@pfsense.com Sent: Wednesday, January 06, 2010 9:38 PM Subject: Re: [pfSense Support] 1:1 NAT - bind actual external IP to an optional interface? The rules and queues process the same whether it's L2 or 3. How do you have the shaper configured? With OPT bridged to WAN, I presume you have a LAN as well, and I'm guessing the shaper is configured for LAN and WAN? That's preciesely right. Inside: LAN, Outside: WAN. Is that the right setting for the shaper in this bridged configuration? (And again OPT2 is bridged to WAN, OPT1 is currently idle, Soekris 5501) I am puzzled as to why it shapes in only one direction. As configured, I would have expected it to work in both or none. Without having the OPT interface called out by name in the shaper wizard, it know to shape the upstream traffic? How do I tie the downstream traffic to the queue? Thanks! -Karl - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 1:1 NAT - bind actual external IP to an optional interface?
Thanks for the ideas! It's working with the exception of a traffic shaping problem. What I did to set this up is 1. Bridged the OPT interface with WAN, leaving all other fields blank 2. Created a rule on the tab of the OPT interface to 'pass' 'any' protocol 3. Attached the host to the OPT interface, and assigned the appropriate IP info. I notice that my upstream traffic is shaped (as expected) but that the downstream traffic is not (unexpected). This presents a problem for VoIP (although serendipitously it's the more sensitive upstream shaping that IS working at the moment). My first thought was oh yeah--DUH, the shaping queues are in layer 3, bridging happens in layer 2, but then It occurred to me that the upstream traffic IS actually being shaped. Confused again. The only theory I could come up with is that the upstream traffic is getting shaped BECAUSE the host on the bridged OPT interface routes to the default gateway IP address, and therefore those upstream packets have IP addresses that match directives in the queues. Am I on the right track? Therefore, thinking the shaper needed an IP address to identify the traffic to shape I tried simply putting the public IP address (of the host connected to the bridged optional interface) in the 'penalty box' of the shaper. You probably already know that this didn't work. Is this a the right theory without the right execution? Do I need to tie in a 'Virtual IP' somehow? So close! I would love a nudge in the right direction. Thanks! If this can be made to work it will eliminate the need to buy 4 Juniper routers! -Karl - Original Message - From: Chris Buechler c...@pfsense.org To: support@pfsense.com Sent: Thursday, December 31, 2009 1:19 PM Subject: Re: [pfSense Support] 1:1 NAT - bind actual external IP to an optional interface? On Thu, Dec 31, 2009 at 9:52 AM, Karl Fife karlf...@gmail.com wrote: Like many, I use 1:1 NAT to give one of my public IP address to an internal host. This works great for certain applicatons where the host (such as Asterisk) is 'smart' and can be made aware of the fact that the IP address bound to its own network interface differs from the one the outside world sees and should direct traffic to. In the case of Asterisk which must know its external IP to properly write SDP headers, Asterisk will look to the configured external IP address instead of the one it actually sees bound to its own NIC. No problems! The problem arises when you've got a 'dumber' host that needs to function EXACTLY like it has an actual external IP address, but where the traffic needs to flow through pfSense (for shaping, policies, IDS/IPS). I sometimes also wish that certain hosts with external addresses NOT have an internal address in the event that they become compromised/rooted etc. Naturally It would be ideal to bind the external IP address directly to an optional interface. My understanding (possibly wrong) is that this was not possible (at least) with embedded 1.2-release. Has anything changed in the 1.2.1 or .2 or .3 release that would make this possible? That's always been possible. Exactly how depends on how many public IPs you have. Nathan's suggestion will work where you want it on your LAN, though that violates the NOT have an internal address noted above. You can either add a public IP subnet on an OPT interface, or bridge OPT to WAN. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] 1:1 NAT - bind actual external IP to an optional interface?
On Wed, Jan 6, 2010 at 1:26 PM, Karl Fife karlf...@gmail.com wrote: Thanks for the ideas! It's working with the exception of a traffic shaping problem. What I did to set this up is 1. Bridged the OPT interface with WAN, leaving all other fields blank 2. Created a rule on the tab of the OPT interface to 'pass' 'any' protocol 3. Attached the host to the OPT interface, and assigned the appropriate IP info. I notice that my upstream traffic is shaped (as expected) but that the downstream traffic is not (unexpected). This presents a problem for VoIP (although serendipitously it's the more sensitive upstream shaping that IS working at the moment). My first thought was oh yeah--DUH, the shaping queues are in layer 3, bridging happens in layer 2, but then It occurred to me that the upstream traffic IS actually being shaped. Confused again. The rules and queues process the same whether it's L2 or 3. How do you have the shaper configured? With OPT bridged to WAN, I presume you have a LAN as well, and I'm guessing the shaper is configured for LAN and WAN? - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] 1:1 NAT - bind actual external IP to an optional interface?
Like many, I use 1:1 NAT to give one of my public IP address to an internal host. This works great for certain applicatons where the host (such as Asterisk) is 'smart' and can be made aware of the fact that the IP address bound to its own network interface differs from the one the outside world sees and should direct traffic to. In the case of Asterisk which must know its external IP to properly write SDP headers, Asterisk will look to the configured external IP address instead of the one it actually sees bound to its own NIC. No problems! The problem arises when you've got a 'dumber' host that needs to function EXACTLY like it has an actual external IP address, but where the traffic needs to flow through pfSense (for shaping, policies, IDS/IPS). I sometimes also wish that certain hosts with external addresses NOT have an internal address in the event that they become compromised/rooted etc. Naturally It would be ideal to bind the external IP address directly to an optional interface. My understanding (possibly wrong) is that this was not possible (at least) with embedded 1.2-release. Has anything changed in the 1.2.1 or .2 or .3 release that would make this possible? What about in the 2.0 beta? If I can make this work (or some creative variant of it) it will prevent me from needing to buy a number of juniper routers. Feedback very much appreciated! -Karl
RE: [pfSense Support] 1:1 NAT - bind actual external IP to an optional interface?
Generally, the best way to handle something like this is to actually give the host the public IP, and avoid NAT altogether. However, sometimes, that's not an option, and so you can use the following to trick the host into working as expected. (Note that 192.0.2.x documentation IPs are used - these represent the public IPs) ISP's Gateway: 192.0.2.1/24 Firewall WAN IP: 192.0.2.10/24 Server WAN IP: 192.0.2.11/24 Firewall's LAN IP: 10.0.0.1/24 Server's LAN IP: 10.0.0.11/24 Server's LAN IP #2: 192.0.2.11/32 (note the mask!) ProxyARP on WAN for 192.0.2.11 Static route on firewall to 192.0.2.11 through 10.0.0.11 on LAN What you're doing is telling the public switch (via ARP) that the firewall's MAC address has 192.0.2.11; therefore, the switch will send that MAC the traffic. The firewall then says that's not me - but I know how where it needs to go, and I'm a router, so I'll take care of that for you. It forwards the traffic to the internal LAN IP of the server, who says Ah, that IP belongs to me, I'll route it internally to myself and accept it. Bingo Presto - the public IP address is now bound to your internal server, and you can address the daemon, which will be listening on that public IP. Best Regards, Nathan Eisenberg From: Karl Fife [mailto:karlf...@gmail.com] Sent: Thursday, December 31, 2009 6:52 AM To: support@pfsense.com Subject: [pfSense Support] 1:1 NAT - bind actual external IP to an optional interface? Like many, I use 1:1 NAT to give one of my public IP address to an internal host. This works great for certain applicatons where the host (such as Asterisk) is 'smart' and can be made aware of the fact that the IP address bound to its own network interface differs from the one the outside world sees and should direct traffic to. In the case of Asterisk which must know its external IP to properly write SDP headers, Asterisk will look to the configured external IP address instead of the one it actually sees bound to its own NIC. No problems! The problem arises when you've got a 'dumber' host that needs to function EXACTLY like it has an actual external IP address, but where the traffic needs to flow through pfSense (for shaping, policies, IDS/IPS). I sometimes also wish that certain hosts with external addresses NOT have an internal address in the event that they become compromised/rooted etc. Naturally It would be ideal to bind the external IP address directly to an optional interface. My understanding (possibly wrong) is that this was not possible (at least) with embedded 1.2-release. Has anything changed in the 1.2.1 or .2 or .3 release that would make this possible? What about in the 2.0 beta? If I can make this work (or some creative variant of it) it will prevent me from needing to buy a number of juniper routers. Feedback very much appreciated! -Karl
Re: [pfSense Support] 1:1 NAT - bind actual external IP to an optional interface?
On Thu, Dec 31, 2009 at 9:52 AM, Karl Fife karlf...@gmail.com wrote: Like many, I use 1:1 NAT to give one of my public IP address to an internal host. This works great for certain applicatons where the host (such as Asterisk) is 'smart' and can be made aware of the fact that the IP address bound to its own network interface differs from the one the outside world sees and should direct traffic to. In the case of Asterisk which must know its external IP to properly write SDP headers, Asterisk will look to the configured external IP address instead of the one it actually sees bound to its own NIC. No problems! The problem arises when you've got a 'dumber' host that needs to function EXACTLY like it has an actual external IP address, but where the traffic needs to flow through pfSense (for shaping, policies, IDS/IPS). I sometimes also wish that certain hosts with external addresses NOT have an internal address in the event that they become compromised/rooted etc. Naturally It would be ideal to bind the external IP address directly to an optional interface. My understanding (possibly wrong) is that this was not possible (at least) with embedded 1.2-release. Has anything changed in the 1.2.1 or .2 or .3 release that would make this possible? That's always been possible. Exactly how depends on how many public IPs you have. Nathan's suggestion will work where you want it on your LAN, though that violates the NOT have an internal address noted above. You can either add a public IP subnet on an OPT interface, or bridge OPT to WAN. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org