Pfsense outbound NAT

[T_Minus]

I'm working on giving some servers elsewhere access to some VMs with static public IPs, and would like the outbound IP to match their public incoming IP to make the other servers able to control access via IP and not all my one shared IP. I'm unaware of "best practices" for this, so bear with me if this setup is wrong or sloppy and educate me

From what I've read I can do this by changing pfsense outbound NAT from Auto to Manual then adding the rules myself.

Before I start to play around I thought I'd ask the Networking Gurus on STH if there's more to consider / something I may have missed or don't understand completely.

- Currently setup for 'auto' so all outbound traffic uses my pfsense/router static public IP

Goals are as follows:

1. All internal 192.168.1.x (LAN Port) on pfsense appliance will continue using pfsense static IP outbound (home network) Re-Use existing auto-generated outbound NAT rule to accomplish this.
   
   
2. All internal 192.168.2.x (LAN 2 Port) on pfsense appliance will use another static IP outbound (server/host outbound, ie: ProxMox Updates/Downloads, and other VMs without their own static IP mapping) Create outbound NAT rule to use another static IP for this internal network.
   
   
3. Create specific outbound NAT rule for each static IP assigned to VM so that their incoming static matches outgoing. (Create Virtual IP / Alias for static IP to be used when configuring outbound NAT as well.)

Does that sound appropriate?


Also wondering at this time if I should not use NAT 1:1 for inbound and use ports / aliases or some other configuration to control at the router/firewall (pfsense) vs. 1:1 and relying on keeping the firewall on the VM safe too. Thoughts?

 

[_alex]

guess you would need another wan to use for the hosts on the internal 2.x net then.

 

[Rahvin9999]

Have a setup that does something simmilar.


Have a /29 subnet for my internet connection and I use outgoing nat to map subnets to different IP's on the WAN side. Really easy to setup.
Using the rules you can do many things. Use a specific IP to visit an URL. Use IP x for website x and IP y for website y

Can you elaborate on what you mean by number 3?

 

[T_Minus]

#3 Create specific outbound NAT rule for each static IP assigned to VM so that their incoming static matches outgoing. (Create Virtual IP / Alias for static IP to be used when configuring outbound NAT as well.)

Have a setup that does something simmilar.


Have a /29 subnet for my internet connection and I use outgoing nat to map subnets to different IP's on the WAN side. Really easy to setup.
Using the rules you can do many things. Use a specific IP to visit an URL. Use IP x for website x and IP y for website y

Can you elaborate on what you mean by number 3?

Great, good to know

1:1 outbound I think is a basic way to describe it, maybe improper?

Basically a single "server" (baremetal, or VM) will have the outbound IP that matches the same IP used for inbound traffic.

Example: Database VM I want a server in another state to access is configured for 1:1 NAT inbound static IP. I also configure outbound NAT mapping to use the same IP for outbound traffic as well so that the external host allows permission on 1 IP instead of the default pfsense WAN IP and the static IP specific to the VM. So instead of multiple systems/VMs sharing 1 outbound IP it's a 1:1 per-VM.


In pfsense I would configure the source network as a /32 (single IP of VM) and a translation address for the static IP which in pfsense I per-configure to a VIP, and select that from drop-down. (This is my understanding of how to do it at this point at-least.) I'm still not sure if I'm going to do 1:1 NAT for inbound or do only certain ports, and rely on pfsense firewall not VM firewall (last question in original post).

 

[Jeggs101]

So much complexity.

 

[T_Minus]

So much complexity.

I think it's a pretty normal/standard setup.

When you get a VM from DO, Linode, etc... you get a static IP that's incoming and outgoing, that's all I'm doing In addition to assigning a different outgoing IP for different subnets (home/work/etc).

 

[Rahvin9999]

Great, good to know

1:1 outbound I think is a basic way to describe it, maybe improper?

Basically a single "server" (baremetal, or VM) will have the outbound IP that matches the same IP used for inbound traffic.

Example: Database VM I want a server in another state to access is configured for 1:1 NAT inbound static IP. I also configure outbound NAT mapping to use the same IP for outbound traffic as well so that the external host allows permission on 1 IP instead of the default pfsense WAN IP and the static IP specific to the VM. So instead of multiple systems/VMs sharing 1 outbound IP it's a 1:1 per-VM.


In pfsense I would configure the source network as a /32 (single IP of VM) and a translation address for the static IP which in pfsense I per-configure to a VIP, and select that from drop-down. (This is my understanding of how to do it at this point at-least.) I'm still not sure if I'm going to do 1:1 NAT for inbound or do only certain ports, and rely on pfsense firewall not VM firewall (last question in original post).

1:1 rules are great for that, Just need to be carefull with your firewall rules.
Have used it to temporarily deal with overlapping subnets during a merger. PFSense in the middle and 1:1 nat to get things talking to eah other. then migrated everything over.

 

[aero]

Also wondering at this time if I should not use NAT 1:1 for inbound and use ports / aliases or some other configuration to control at the router/firewall (pfsense) vs. 1:1 and relying on keeping the firewall on the VM safe too. Thoughts?

In my opinion, when exposing a machine to the Internet you should leave as small an attack vector as possible.
To that end, I would recommend port forwards rather than 1:1 static NAT, and only expose the particular ports you need. This does increase the complexity of configuration and management thereof, however.

Yes, I realize that a firewall can achieve similar results, and even in a port forwarding scenario I recommend locking it down with proper ACLs. Perhaps I'm overly paranoid. I would even add a layer of obfuscation by altering the externally exposed port, if feasible for your remote connecting applications.
e.g. internal server listening on TCP port 80; port forward from external TCP port 65080.

I feel like the setup I described helps mitigate risks from mis-configuration of ACLs.

edit: i would configure ACLs on pfsense, and also on the VM (iptables FTW!)
edit2: if you have complete control of the client endpoints/networks connecting to the services you're exposing, then I would highly recommend VPN'ing to your network instead.

 

[Rahvin9999]

In my opinion, when exposing a machine to the Internet you should leave as small an attack vector as possible.
To that end, I would recommend port forwards rather than 1:1 static NAT, and only expose the particular ports you need. This does increase the complexity of configuration and management thereof, however.

Yes, I realize that a firewall can achieve similar results, and even in a port forwarding scenario I recommend locking it down with proper ACLs. Perhaps I'm overly paranoid. I would even add a layer of obfuscation by altering the externally exposed port, if feasible for your remote connecting applications.
e.g. internal server listening on TCP port 80; port forward from external TCP port 65080.

I feel like the setup I described helps mitigate risks from mis-configuration of ACLs.

edit: i would configure ACLs on pfsense, and also on the VM (iptables FTW!)
edit2: if you have complete control of the client endpoints/networks connecting to the services you're exposing, then I would highly recommend VPN'ing to your network instead.

With PFSense the 1:1 NAT does nothing without a firewall rule to match it which allows traffic to pass.
Same thing goes for port mappings. You can make all the port mappings you want on PFSense but without a matching rule traffic will not flow.

 

[T_Minus]

With PFSense the 1:1 NAT does nothing without a firewall rule to match it which allows traffic to pass.
Same thing goes for port mappings. You can make all the port mappings you want on PFSense but without a matching rule traffic will not flow.

Makes sense, thanks for posting that saves me from potential hour of banging my head against the wall

 

[Rahvin9999]

Makes sense, thanks for posting that saves me from potential hour of banging my head against the wall

Its a setting. With port forwards you can have it auto create corresponding firewall rules.
1:1 NAT you have to do it all yourself.
Outbound nat rules are set to be auto created by default and you can switch to the hybrid or do it your damn self options (or completely disable it )