Perhaps I’m missing something here, but it seems to me that this will only work if the entire path between firewall #1 and firewall #2 fails to employ uRPF validation ( <http://en.wikipedia.org/wiki/Reverse_path_forwarding> http://en.wikipedia.org/wiki/Reverse_path_forwarding), since you’re effectively sending a packet back out the WAN coming from a “foreign” IP address (foreign from the perspective of your ISP, that is).
I would expect your upstream provider to blackhole (null-route, drop, whatever you want to call it) what it perceives to be bogons. My question isn’t why doesn’t this work consistently, but rather why does it ever work at all??? N.B. if you rewrite the source address as well as the destination address, or if you employ a proxy which will naturally do that, then my comment is irrelevant. -Adam Thompson [email protected] From: [email protected] [mailto:[email protected]] On Behalf Of Adam Stasiak Sent: Tuesday, June 05, 2012 6:48 PM To: pfSense support and discussion Subject: [pfSense] Redirecting connections to a second site with NAT I am trying to redirect traffic coming to an address on my WAN subnet as one site to an address on the WAN subnet of another pfSense box at a different site. I have a limited number of IPs available at the primary site, but need several more to host HTTPS sites, the goal is to be able to redirect HTTPS requests to a block of IP addresses (on the WAN subnet of one pfSense box) to a single IP address at the main site (but on different ports) to avoid needing a different public IP address for each SSL encrypted site. I already know about wildcard certs and certs with multiple host names on them and also SNI, all of these are problematic for one reason or another. Someone indicated on this list that that was possible with pfSense. And I have gotten it to work sporadically. I've created a rule to forward TCP connections on port 8001 of the wan address to port 80 at IP 0.0.0.25 (the target IP). I have tried turning nat reflection on and off for that rule, nothing seems to go through. I have created firewall rules on the WAN interface(0.0.1.70) allowing all tcp traffic with 0.0.0.25 as the source or destination. I also created a rule allowing traffic with 8001 as the destination. I have control over the firewalls at both sites (both are pfSense 2.0.1) and both do have advanced outbound NAT on for whatever that is worth. Any clues why this is not working for me? below is the packet capture at site 1 (0.0.1.70) the packets seem to be received fine from the source (0.0.2.21) and then sent to site 2 (0.0.0.25). But I never see anything in the packet capture at site 2. (or in the firewall block logs either) […chop…] I do very sporadically get some packets captured on the other end. It's happened once among dozens of tries. I could understand if it just plain didn't work, but the fact that it works sometimes is very confusing.
_______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
