(solved) Firewall/routing -DMZ to LAN -preserve Source IP ->Disable Outbound NAT

[ArminF]

Hello,

today i realised that if the DMZ IP talks to a LAN Source behind the LAN Gateway the Firewall replaces the Source IP with the IP of the Firewall itself.

Example:
DMZ Source IP 192.168.10.10
Firewall LAN IP 192.168.20.20
Destination IP 192.168.30.30 (a LAN server behind the firewall segment)

The request went from the DMZ through the LAN gateway to the server in a different segment.
But Source IP on the was suddenly the Firewall LAN IP. So the LAN IP where the LAN Gateway resides.

192.168.10.10 -> LAN/FW GW -> 192.168.30.30.
But 192.168.30.30 received as 192.168.20.20 instead of 192.168.10.10

Is this a default setting?
Can this be changed to reflect the origin Source IP instead of replacing it in a setting?
Or do i have to setup for those actions an Outbound NAT always?
And if outbound nat is OPNSense able to use Groups/Aliases then?

thanks
armin

[ArminF]

Anyone?

This is mission critical for us as we do have firewalls on the lan sides as well and they do filter via source IP.

So if every request from the DMZ onto the LAN will get a source IP replacement i would need to do a NAT for every source.
Also its a bit bad when every connection then comes from the same ip. Makes it hard to troubleshoot with the logs.

Would really need to know if this is a default settings which could be changed somewhere.

thanks A

[bartjsmit]

Hi Armin,

If you don't want to NAT then you need to remove the default NAT rules. You will need to make sure that the next router hop knows how to reach your LAN subnet.

Firewall, NAT, Outbound

Bart...

[ArminF]

Thanks,

i did not had a NAT (outbound) in place. Just the routing table pointing to the LAN Gateway to reach the resources behind it.

But then figured out that the IP from a DMZ Server was replaced by the IP of the Firewall while reaching out to the resources behind the LAN Gateway.

So does every connection from the DMZ or Any Other Interface which is not LAN get's his IP replaced with the one from the Firewall?

If this is an option i would like to disable it. Makes it pretty hard to troubleshoot.
We do run several servers in DMZs and so everyone talking to a resource behind the LAN segment will have the firewall IP. This is impossible to handle for me. And should not be in my opinion.

Do you have any explanation which would shed more light into this?

Much appreciated.
thanks A

[Maurice]

Automatic outbound NAT rule generation is enabled by default. Go to Firewall / NAT / Outbound and have a look at the Automatic rules section. If there are any rules, NAT is active. To disable it, switch to Disable outbound NAT rule generation.

Cheers

Maurice

[ArminF]

Thank you.

Question is would the disabling of NAT outbound then show the Source IP when it get's through the LAN Gateway?

As i wrote i had to enable it to get the source ip preserved behind the LAN GW.

This really makes no sense to me i have to say. What would be the reason to replace an IP while routing it to another Segment.

thank for your explanation. I will take a look on your description.
A

[Maurice]

Armin, you don't make it exactly easy to understand your setup.

If automatic (or hybrid) outbound NAT rule generation is enabled, outbound NAT rules get created for WAN-type IPv4 interfaces. An interface is considered WAN-type if it has an upstream gateway.

If you don't need NAT at all, disable outbound NAT rule generation.

If you don't want outbound NAT for specific interfaces, make sure they don't have an IPv4 upstream gateway. If that's not feasible, switch to manual outbound NAT rule generation and add all required outbound NAT rules manually.

Cheers

Maurice

[ArminF]

Maurice and bartjsmit,

first of all i want to thank you for being patience with me!
Second i should not write my frustration down and stay professional.

So default outbound NAT is enabled. That was why my request always got translated and the ip's were replaced. Afterwards i did overwrite these settings. Actually i should (like you both wrote) just disabled the whole feature and try again. So here is where i had my blockade. The default is ON and i did overwrite by a manual outbound NAT.

More research i found on
https://docs.opnsense.org/manual/nat.html#outbound
https://docs.netgate.com/pfsense/en/latest/nat/outbound-nat.html
https://docs.netgate.com/pfsense/en/latest/book/nat/outbound-nat.html

Again, thank you for helping me!

I will mark this case as solved and have documented the issue.
Armin

PS:
About the Setup

--                                                         
  \-                                                       
                                                           
                      +------+                             
                      |  WAN |                             
                      +--|---+        - -                   
 -                         |                                 
                     +---|----+        -                   
                     |  DMZ Ext                             
                     +--------+                             
                     +--------+                             
                     | DMZ Int|                             
                     +--------+                             
                     +--------+                             
                     |  FW LAN|                             
                     +----|---+                             
                            |           -                     
                            |                                 
           +--------------|----------------+               
           |                                         |               
           |  Corporate Network            |               
           |                                         |               
           |                                         |               
           |                                         |               
           |                                         |               
           |      +---------------------+   |               
           |      |Ringfenced Infrastructures               
           |      |   +                   |        |               
           |      +---------------------+   |               
           +-------------------------------+               -
                                                           
  Some of Corporate Networks (several /16 Networks)  do have an extra layer of security inside the Network.
Mostly Certificate CAs where we do pull SCEP Certificates for client connections and authorization.
These Firewall do react on Port and Source IP and even app which requests the action.

And here i was blocked as long as the default Option which is Automatic Outbound / Automatic translation of the Source IP was enabled. So overwrite or completely disable it was the solution.