It certainly doesn't appear that pfSense will rewrite the source address itself. And if it did, I'd imagine that to the webserver, everything would appear to be coming from that one address. Would it be feasible for me to set up a site-to-site VPN, and NAT the traffic onto that, rather than over the open internet? I don't think I would really need the encryption, just the encapsulation. Is there a lighter weight way of encapsulating the packets than using IPSEC or OpenVPN? Would that idea even be likely to work?
On Tue, Jun 5, 2012 at 7:58 PM, Adam Thompson <[email protected]> wrote: > Perhaps I’m missing something here, but it seems to me that this will only > work if the entire path between firewall #1 and firewall #2 fails to employ > uRPF validation (http://en.wikipedia.org/wiki/Reverse_path_forwarding), > since you’re effectively sending a packet back out the WAN coming from a > “foreign” IP address (foreign from the perspective of your ISP, that is).* > *** > > I would expect your upstream provider to blackhole (null-route, drop, > whatever you want to call it) what it perceives to be bogons.**** > > ** ** > > My question isn’t why doesn’t this work consistently, but rather why does > it ever work at all???**** > > ** ** > > N.B. if you rewrite the source address as well as the destination address, > or if you employ a proxy which will naturally do that, then my comment is > irrelevant.**** > > ** ** > > -Adam Thompson**** > > [email protected]**** > > ** ** > > ** ** > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Adam Stasiak > *Sent:* Tuesday, June 05, 2012 6:48 PM > *To:* pfSense support and discussion > *Subject:* [pfSense] Redirecting connections to a second site with NAT**** > > ** ** > > I am trying to redirect traffic coming to an address on my WAN subnet as > one site to an address on the WAN subnet of another pfSense box at a > different site. > > I have a limited number of IPs available at the primary site, but need > several more to host HTTPS sites, the goal is to be able to redirect HTTPS > requests to a block of IP addresses (on the WAN subnet of one pfSense box) > to a single IP address at the main site (but on different ports) to avoid > needing a different public IP address for each SSL encrypted site. > I already know about wildcard certs and certs with multiple host names on > them and also SNI, all of these are problematic for one reason or another. > > Someone indicated on this list that that was possible with pfSense. And I > have gotten it to work sporadically.**** > > I've created a rule to forward TCP connections on port 8001 of the wan > address to port 80 at IP 0.0.0.25 (the target IP). > I have tried turning nat reflection on and off for that rule, nothing > seems to go through. > I have created firewall rules on the WAN interface(0.0.1.70) allowing all > tcp traffic with 0.0.0.25 as the source or destination. > I also created a rule allowing traffic with 8001 as the destination. > I have control over the firewalls at both sites (both are pfSense 2.0.1) > and both do have advanced outbound NAT on for whatever that is worth. > > Any clues why this is not working for me? > below is the packet capture at site 1 (0.0.1.70) > the packets seem to be received fine from the source (0.0.2.21) and then > sent to site 2 (0.0.0.25). > But I never see anything in the packet capture at site 2. (or in the > firewall block logs either) > […chop…] > > I do very sporadically get some packets captured on the other end. It's > happened once among dozens of tries. I could understand if it just plain > didn't work, but the fact that it works sometimes is very confusing.**** > > > _______________________________________________ > List mailing list > [email protected] > http://lists.pfsense.org/mailman/listinfo/list > >
_______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
