How to deal with NAT on pfSense/OPNSense. Real world examples. 1:1 NAT, Inbound NAT, Outbound NAT.

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello and welcome to our channel today i wanted to talk about network address translation and how to deal with it on opn sense and pf sense firewalls today's video is not going to be a step-by-step tutorial but i'll cover all of the nats scenarios i'll show you my existing rules on the firewalls and i'll show you how to deal with port forwards one to one nat and outboundnet now traditionally let's move on to the presentation i prepared for you to cover the theoretical part before i show you the real world examples so what is the nat nat is the network address translation and it was invented to translate your internal ip addresses into external ip addresses by your router firewall here in this green block i have most of the private ip address is covered there are a few exceptions to that but i'm not going to cover that in this video because this is going to be too much of a theoretical rant some of the private ip address examples are 10.4.1.2 192.168.0.4 or 172-1605 anything that you see here on the screen this is private and general rule of thumb is that anything that's not private is considered public now why nat was implemented in the first place well two reasons for that security reasons because if everything was connected directly to the internet it's going to be a security nightmare and second reason is there are simply not enough ipv4 addresses to cover all of the network devices in the world right now i mean maybe it was the case in 1990 but today when everyone has from one to five devices of their own it's just not viable solution okay let's move on to the net types there are two types of nat that you're gonna have to be concerned with the outbound nat and the inbound nat now let's move on to the next slide here we have some random client on the internet that wants to connect to mail.yourdomain.com on port 25. through the internet and dns servers and all that it resolves the ip address to being 51.2.55.1 and the request is still coming in on port 25. so that request comes in to our firewall firewall goes through the inbound nat rules then when it finds the rule that says when you receive the request on this ip and this port forward this to the internal ip and internal port you can see here that we have a different port on the inside than on the outside and that's basically what you can do with any inbound nat rule you have the flexibility to specify a different port that goes on the internal address rather than its publicly available port hopefully that makes sense so far and before i move on to the practical example i wanted to cover one more slide imagine the situation where we have a client on the inside that wants to access our hosted resource it's going to be a waste if it will go to the internet and then back to the firewall and then to our email server vm so we're going to configure a feature here that will tell the firewall if you receive anything from this client don't go out to the internet route the traffic straight back to the vm and the feature is called net reflection now when we have the inbound nat covered let's move on to some practical examples i'll start with opn sense here and if you want to get to the inbound nat rules section go to firewall nat and port forward then hit add a new rule and follow my example over here it's a new rule so we don't want it disabled interface section is very interesting particularly on the opn sense so remember of that net reflection feature i told you about just a minute ago well on the opn sense you're gonna have to mark every interface that will have access to the net reflection in this very rule if you don't do it net reflection will not work i don't know if it's a bug or a feature but i learned it the hard way configuring many port forwards and then troubleshooting the net reflection issues things like that bf sense has a different issue with this but for opn sense remember if you want your net reflection to work mark all of the internal interfaces that you want to work this on and of course additionally you need to mark the external interface that will receive the request from the external client then for the ip version i have ipv4 here um protocol is tcp and the destination itself is going to be one of your externally available ip addresses it can be set to something like when nat address but in my particular case i need this ip to be translated into the internal one destination port range in my case is http but you can easily set it to other and input the random port on your firewall the redirect target ip is your internal resource and the redirect target port is the port that's open on your internal resource pool options is a unique feature to opn sense and with it you can do some basic load balancing for example if you have multiple vms on the back end you can have one public ip address and opnsans will forward everything to the set of the backend ip addresses although for it to work you need to create an alias and add all of your desired internal ip addresses to the alias and then choose one of the pool options something like round robin or round robin with sticky address if you need to log your packets for troubleshooting or whatnot tick this checkbox give your rule a description local tag and match local tag this is something you use in very advanced scenarios where you have double net and things like that i'm not gonna cover that in this video most of you will not need this like ever and filter rule association i already have a rule here but you're gonna have to check the tick box to allow the automatic rule creation if you are not into that and you want to create a rule manually just leave the box unticked and create the rule manually hit save apply changes and you're good to go that's pretty much all you need to do on the opn sense to get this working if you want to do the same on pf sense go to firewall nat and then port forward create a new rule and follow my example we don't want to disable this role choose the interface you want to receive the traffic on then choose the protocol then the destination if you have multiple ip addresses choose the destination here but as you can see over here i only have one ip address bind to this interface and here you have a perfect example how to choose the native ip address of the interface instead of the separate one the destination port range is 2209 in my case redirect target ip is 1016014 that's the ip address of the internal vm redirect target port is 22 or ssh if you click other you can specify the custom port leave some description net reflection i have the pure nat turned on by default in my system if you're very curious you can go to netgate website and look for net reflection and check for yourself what's the difference between nat plus proxy and pure nat but to save you some trouble in most cases and like 99 of the time you're gonna have to choose the pure nat option um hit save apply and you mostly good to go there is one caveat as there was with opn sense on pf sense if you have blocked the traffic going from local machine to local machine and you are exposing that local machine to the internet you're not going to be able to reach that particular resource even over the port forward on the public ip what you have to do is you need to create a firewall rule on the internal interface that will allow this to happen i'll show you an example so i have some resource sitting in v1 default nat and i want to reach proxy that's exposed to the outside world i cannot do that unless i add a specific rule that allows that to happen and in my case it's v1 default nat to v6 web proxy if you're interested on how pfsense internal rules work i have another video about that on my channel you can search for pfsense land rules explained but that's basically how you tackle the inbound nat scenario now with the inbound nat covered let's move on to the outbound net and you probably have a question why do we even need outbound nat well there are a few scenarios where we need to configure this one would be when you have email server and you need to specify the ptr record to the specific ip address and then you're going to need to specify the spf record for the specific ip address also the smtp banner things like that most of the time the outbound nat needs to be configured on your firewall when you have multiple external ip addresses assigned to it and i'll cover two scenarios where you have similar configuration that requires the outbound nat but then first we have public ip address assigned by dhcp so we need one physical interface per ip and the other one has pppoe or it can be pptp or statically assigned by your isp supplied router block of ip addresses that are assigned to one single interface for the outbound rules i'll also start with opnsense and if you want to configure that go to firewall nat outbound first and foremost switch from automatic outbound rule generation to hybrid this is going to give you a way of adding some manual rules at the top but you will keep a benefit of firewall creating some internal rules automatically without you having to manage it when you've selected that click save apply you're good to go then create a new rule and follow my example interface is the external interface you want your traffic to go from ipv4 in my case protocol any source address is the internal resource source address or alias you can also configure a source port if you need to but this is a advanced example that i'm not going to cover destination address any destination port any then translation target this is going to be a external ip address and i have them listed here because the internet connection type on this opn sense box is ppoe and i have the ability of adding virtual ip addresses to one interface in your case you might be only able to choose one of your interfaces ip addresses activate the log option if you want to have the persistent logs for this rule translation port also belongs to the advanced use case that i'm not going to cover here pull options is the same thing that you had for the inbound rules this way you can load balance your traffic that's going out to the internet skip the local tag part give it a description hit save apply and you are good to go one quick tip before i move on to pfsense if you want to check if this worked go to one of your windows machines and google my ip address and check if it's really the ip address you configured it to use but if the internal resource is the linux machine use curl ifconfig.me press enter and it's going to show you your public ap that you configured and if it shows you the different address from the one that you configured you need to go back and revise your settings moving on to pfsense go to firewall nat outbound as well as in the previous example click hybrid outbound nat hit save apply and you're good to go this feature is identical on both platforms now go ahead and add a new rule choose the interface again a side note before i continue the configuration this is the dhcp configuration as you might remember from the inbound nat section and there is only one external ip address per interface so with that covered let's move on address family is ipv4 in my case protocol any source choose network and then specify the ip address of the internal resource and put the 32-bit at the end destination any for the translation choose the external ip address of your interface in my case it's interface address give it a description hit save apply and that's pretty much it don't forget to go to your vm and actually check if the setting was applied one last thing i wanted to cover in this video today is one-to-one nat and one-to-one nat is designed to bind a specific internal ip address to the external ip address so you don't need to do any port forwarding in that case you just need to open firewall ports so there's still a firewall between the internal resource and the internet but the network translation is done automatically from the outside in and from the inside out this approach doesn't have many useful use cases but you might sell your client direct access to one of your internal boxes and they want to manage everything regarding that host one-to-one nat is your friend in this scenario another use case would be a pbx server all of our pbx servers are hidden behind the vpn but there are some people that cannot afford or don't have technical know-how um how to hide the server behind the vpn so they need to expose the servers with one-to-one nat this is really not recommended but the only way how your pdx server will work with the external ip address is actually one to one nat so let's start with the opn sense firewall first again before you even start adding one-to-one nat rules go to firewall settings advanced and hit this checkbox otherwise you're gonna have a hard time figuring out how to enable the nat reflection for one to one rules save and apply your settings then go to nat one to one and this is much simpler than something we had before we just need to choose the interface the type which is usually by nat in like 99 percent of the cases external network is your public ip address and the source is your internal resource destination any give it a description net reflection enable hit save apply and that's pretty much it moving on to the pf sense you want to go to system advanced firewall and at scroll approximately to the middle of the page and find enable net reflection for one to one nat enable it save and apply settings after that go to firewall nat one to one and add a new rule here you can specify the interface then external ip address internal ip address leave the destination as any give it a description and enable net reflection hit save apply and the rule is ready when you are configuring one-to-one nat there is a possibility for you to specify a different block of ip addresses for example i want to forward internal slash 28 to the external slash 28. although you can do that i really don't recommend you do because if something happened to break you're gonna have a hard time figuring out what broke and where exactly so unless you must do it this way i really recommend against it so that's it for this video if you liked it please consider leaving a like and subscribing if you found this content useful please consider donating to our paypal it really helps to keep the lights on in the studio but for now thank you very much for watching and i'll see you in the next one
Info
Channel: Gateway IT Tutorials
Views: 47,818
Rating: undefined out of 5
Keywords: pfSense, OPNSense, NAT, Networking, Firewalls, OpenSource, FOSS, Tutorial, DMZ, Port Forward
Id: IsUFzuhwsME
Channel Id: undefined
Length: 18min 25sec (1105 seconds)
Published: Sat Aug 15 2020
Related Videos
OPNSense Firewall Rules Explained
Gateway IT Tutorials
74K
How To Port Forward in pfsense
Lawrence Systems
52K
[PfSense] Bidirectional 1:1 NAT , Proxy ARP configuration
TechTalkSecurity
469
Port Forwarding Explained + The Risks You Need to Know
CertBros
6.6K
How to Configure OpnSense - vLAN, VPN, Port Forward, Firewall Rules, WireGuard, DHCP... - Part 2
Jim's Garage
53K
Your network is wide open! // A Beginner's Guide to Firewall Rules in OPNsense
Dev Odyssey
19K
How to do Static Routes with PFSense
RedBlue Labs
1.4K
NAT Port Forwarding in pfSense 2.4
Rocket City Tech
32K
15 Setup pfSense Configure NAT Basics
Python Tutorials for Stock Market
2.6K
OPNsense Firewall Regeln erklärt
Daniel Medic
19K
pfsense and Rules For IoT Devices with mDNS
Lawrence Systems
114K
pfSense Firewall (totally) Rules! Basic rule setup...🤫
The Network Berg
138K
Watch BEFORE Port Forwarding - The Complete Guide to Port Forwarding
SpaceRex
35K
pfsense Setting Multiple Static WAN IP Addresses / Using Virtual IP's NAT Firewall Rules
Lawrence Systems
122K
Suricata Network IDS/IPS Installation, Setup, and How To Tune The Rules & Alerts on pfSense 2020
Lawrence Systems
181K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.