[pfSense Support] VIP/NAT Issues

Mon, 22 Oct 2007 11:57:34 -0700 

Has anyone experienced VIP/NAT issues w/ the
current rel?

1.2-RC3 > built on Wed Oct 10 05:44:26 EDT 2007

=== HERE'S THE SETUP ===

OPT1-----[host=10.0.0.100]
|
LAN------[net=192.168.1.0/24]----[pfSense=192.168.1.1/VIP=192.168.1.200]
|
WAN------[net=x.x.x.x]

=== HERE'S THE VIP SETUP ===

<virtualip>
<vip>
  <mode>other</mode> 
  <interface>lan</interface> 
  <descr>NAT VIP Address</descr> 
  <type>single</type> 
  <subnet_bits>32</subnet_bits> 
  <subnet>192.168.1.200</subnet> 
</vip>
</virtualip>

=== HERE'S THE NAT SETUP {EDITED} ===

<nat>
<ipsecpassthru/> 
<advancedoutbound>
<rule>
<source>
  <network>10.0.0.100/32</network> 
</source>
  <sourceport/> 
  <descr>TESTNET2LAN NAT</descr> 
  <target>192.168.1.200</target> 
  <interface>lan</interface> 
<destination>
  <address>192.168.1.0/24</address> 
</destination>
<natport /> 
<dstport /> 
</rule>
{LINES OMITTED}
<nat>
{LINES OMITTED}
<rule>
 
<external-address>192.168.1.200</external-address>

  <protocol>tcp</protocol> 
  <external-port>5900</external-port> 
  <target>10.0.0.100</target> 
  <local-port>5900</local-port> 
  <interface>lan</interface> 
  <descr>Admin VNC2</descr> 
  <nosync /> 
</rule>


So, here is the issue .... this setup has been
working fine with RC2 release.  Thereby allowing
me to masq the 10.0.0.100 address as 192.168.1.200
for any work I had to do from the OPT1 network
into the LAN network.  And also allowing me to VNC
into the 10.0.0.100 box with an address of
192.168.1.200.

Points for clarification:

-> AON (auto NATting) is disabled, all NATting is
manual.
-> Policies/rules have not changed.
-> Only change was upgrade to RC3 (see build date
above)
-> I know I can perform the same level of access
through routing/policies, but that is NOT an
option in this case (see below).

I know that is a little skewed, but the reason is
beyond the scope of this email to describe, but
suffices to say that it is an audit issue and HAS
to remain this way so that access from the
10.0.0.100 host looks like 192.168.1.200 and
vice-versa.

Any thoughts?

Need more info? Just ask.

Thanks in advance.




--
David L. Strout
Engineering Systems Plus, LLC




---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to