NAT - i am clueless

Started by ArminF, November 09, 2021, 09:11:57 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 09, 2021, 09:11:57 PM
Evening,
i am struggeling with one of my severs.
Scenario:

DMZ - Server 192.168.10.102 / Port TCP 502
LAN - Server 192.168.1.100 / *
Alias Host - 192.168.10.103

The DMZ Server only accepts connections from the DMZ subnet.
The LAN Server should poll some details from the DMZ Server.
NAT is needed to translate the LAN Server IP to an IP on the DMZ subnet so it will be accepted.

LAN                                          DMZ
192.168.1.100------|------------OPNSense---------|--------------192.168.10.102
                     GW LAN                               GW DMZ
                    192.168.1.1                             192.168.10.1   
          
Traffic
192.168.1.100  ---> translated to 192.168.10.103------------> 192.168.10.103

i tried outbound NAT but was not able to set it up (yet). Really buggers me....

LAN has Access to DMZ on the Firewall Ruleset
DMZ to DMZ has also access.
I can see it on the lig log as well.

Would you please enlighten me so i can get rid of this burden?
thank you
armin
English: Never try, never know!
Deutsch: Unversucht ist Unerfahren!
November 09, 2021, 10:30:06 PM #1
further checks with packet capture show me some weird behavior.

Outbound NAT seem to work as the address gets translated. But then loads of SACK and retransmits happen.
22   31.113844   192.168.10.103   192.168.10.102   TCP   74   [TCP Retransmission] 58930 → 502 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=2035562142 TSecr=0 WS=128

"22:27:17.433500 02:9a:d4:01:5d:01 > 14:42:fc:ea:83:c8, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 63, id 24639, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.10.103.60811 > 192.168.10.102.502: Flags , cksum 0x8bc8 (correct), seq 186586557, win 64240, options [mss 1460,sackOK,TS val 2037162334 ecr 0,nop,wscale 7], length 0
    192.168.10.103.30523 > 192.168.10.102.502: Flags , cksum 0xc501 (correct), seq 785917789, win 64240, options [mss 1460,sackOK,TS val 2037164316 ecr 0,nop,wscale 7], length 0
    192.168.10.103.30523 > 192.168.10.102.502: Flags , cksum 0xc0ff (correct), seq 785917789, win 64240, options [mss 1460,sackOK,TS val 2037165342 ecr 0,nop,wscale 7], length 0
    192.168.10.103.44844 > 192.168.10.102.502: Flags , cksum 0xa9a3 (correct), seq 3558103502, win 64240, options [mss 1460,sackOK,TS val 2037167323 ecr 0,nop,wscale 7], length 0
    192.168.10.103.44844 > 192.168.10.102.502: Flags , cksum 0xa5a0 (correct), seq 3558103502, win 64240, options [mss 1460,sackOK,TS val 2037168350 ecr 0,nop,wscale 7], length 0
    192.168.10.103.22878 > 192.168.10.102.502: Flags , cksum 0x91cb (correct), seq 503280075, win 64240, options [mss 1460,sackOK,TS val 2037170330 ecr 0,nop,wscale 7], length 0
    192.168.10.103.22878 > 192.168.10.102.502: Flags , cksum 0x8dc7 (correct), seq 503280075, win 64240, options [mss 1460,sackOK,TS val 2037171358 ecr 0,nop,wscale 7], length 0
    192.168.10.103.6957 > 192.168.10.102.502: Flags , cksum 0x0d7a (correct), seq 1079445047, win 64240, options [mss 1460,sackOK,TS val 2037173337 ecr 0,nop,wscale 7], length 0"
English: Never try, never know!
Deutsch: Unversucht ist Unerfahren!
November 10, 2021, 04:19:45 AM #2
Are you NAT ing to DMZ interface IP?  Packet capture suggests that you are not. What is 192.168.10.103?
November 12, 2021, 07:14:23 PM #3 Last Edit: November 13, 2021, 02:59:44 AM by cs@ithandsfree.com
Okay DMZ is really easy.. I just resolved this for a client. 

client setup:  192.168.0.x(Corp net) -----  10.10.10.x (DMZ network)
The client needed certain ports and servers on the Corp side accessible, here is what we did.

I went to the DMZ Rules and I created the Allow rules for the ports and destination(corp) we wanted to allow and moved them to the top of the list.  Then I created an all Block rule for the DMZ==}Corp network so has to secure the Corp network from the DMZ.

Next the CORP Rules: in this case we left the all network access rule that is created by default as the client did not care about whether any system could access the DMZ network/server from the Corp network.

I have provided pictures of the rule sets that allowed specific access from the DMZ to the Corp network/servers and blocking the rest while allowing the Corp Network to have unrestricted access to DMZ. 

If we wanted to lock down Corp==}DMZ we could make rules in the Corp Network Rules section like we did in the DMZ so that only some ports and systems could access the DMZ from the Corp Network.

Hope this helps.

*edit*
If you are trying to mask the server IP or translate the server IP to a DMZ ip, this is fraught with challenges and generally you call not do this without some advanced networking.
If there is a chance you would need to create a 1:1 NAT for the Server LAN IP to be associated to the DMZ IP and then create an Outbound NAT rule.
November 13, 2021, 08:01:06 PM #4
Quote from: cs@ithandsfree.com on November 12, 2021, 07:14:23 PM
Okay DMZ is really easy.. I just resolved this for a client. 

client setup:  192.168.0.x(Corp net) -----  10.10.10.x (DMZ network)
The client needed certain ports and servers on the Corp side accessible, here is what we did.

I went to the DMZ Rules and I created the Allow rules for the ports and destination(corp) we wanted to allow and moved them to the top of the list.  Then I created an all Block rule for the DMZ==}Corp network so has to secure the Corp network from the DMZ.

Next the CORP Rules: in this case we left the all network access rule that is created by default as the client did not care about whether any system could access the DMZ network/server from the Corp network.

I have provided pictures of the rule sets that allowed specific access from the DMZ to the Corp network/servers and blocking the rest while allowing the Corp Network to have unrestricted access to DMZ. 

If we wanted to lock down Corp==}DMZ we could make rules in the Corp Network Rules section like we did in the DMZ so that only some ports and systems could access the DMZ from the Corp Network.

Hope this helps.

*edit*
If you are trying to mask the server IP or translate the server IP to a DMZ ip, this is fraught with challenges and generally you call not do this without some advanced networking.
If there is a chance you would need to create a 1:1 NAT for the Server LAN IP to be associated to the DMZ IP and then create an Outbound NAT rule.

Not true, masquerading should work. This is not really fraught with challenges or advanced networking.
But, as TheHolm mentioned, the return path must be valid, meaning the firewall should have 192.168.10.103 as an IP Alias or something. Or alternatively, use outbound NAT on DMZ and masquerade to the existing interface IP, which seems to be 192.168.10.1.
In any case, natting between internal networks (or between any networks, for that matter) should be avoided if possible.

Also, do try to debug why the default drop does not seem to work in your case. In my opinion there are some problems with the ruleset you are showing here.
I'm also not a big fan of this way of writing firewall rules with drop something specific, allow the rest. Why not directly allow only what should be allowed? Makes everything much simpler.
Print
Go Up Pages1
User actions