double nat routing

[giagni]

hi all

I'have got a networking issue that make me crazy...

Code:

+--------+
|--web --|
+--------+
    |
    |
88.99.100.0/26  (em1)
+--------+
|-gate1--|
+--------+
10.0.1.1  (em0)
    |
    |                    +---------+
    +---------10.0.1.5---|webserver|
    |                    +---------+
    |
10.0.1.20  (bce0)
+--------+
|-gate2--|
+--------+
192.168.4.1  (bce1)
    |
    |
192.168.4.2
+--------+
|client1-|
+--------+

In a network like that, where

gate1 nat on interface em1
gate2 nat on interface bce0
both are freebsd gateway machine with ipfw+natd


So... client1 can access on internet,
but cant access on my internal webserver

Is not a problem of ipfw rules. I'm sure.
I suppose the route to internal webserver can establish but cant'return to client1

any suggestions?
Thanks

[jggimi]

If NAT were not used on gate2 -- and it is probably not necessary -- you would have a standard dual firewall with a DMZ subnet (10.0.1). If so, you merely need to add routing table entries for the internal protected network (192.168) to gate1 and to your servers in the DMZ. e.g.:

# route add 192.168.4/24 10.0.1.20

Because you are using NAT in gate2, all packets originating on 192.168.4/24 are translated to 10.0.1.20. This eliminates the need to route to the 192.168 subnet from systems on the 10.0.1 DMZ. In theory. But without further diagnostics of the environment (ping, tcpdump, fw ruleset, etc.) there's no way to know the source of your configuration problem.

[giagni]

Thanks

I have already tried your hint... an it's work well.
Traffic from 192.168.4/24 is routed by gate1 (10.0.1.1). It's work fine but I would try to find different solution, where traffic from two subnet are completely separate. It's just for a security doubt (I guess, double nat = double security ...or perhaps is it only my figment?).
I think is not a config problem, but a networking concept that I lack.


I would try to find a solution where traffic from 192.168.4/24 is traslated,
and clients from that subnet should access to web and to my internal webserver too.


Assuming that clients have not route for 192.168.4/24 net, I try to access webserver trough public ip.
(webserver have a public ip NATted (88.99.100.5) for make it accessible from web)
I can ping but not browsing... dont know wheres my mistake... but I going to think that I cant do it.





I post some tcpdump output
so from 192.168.4.29 to 88.99.100.5:80

tcpdump from gate2 (192.168.4.1) bce1:
15:55:56.724706 IP 192.168.4.29.1196 > 88.99.100.5.80: S 4234213476:4234213476(0) win 16384 <mss 1460,nop,nop,sackOK>
15:55:56.725162 IP 88.99.100.5.80 > 192.168.4.29.1196: R 0:0(0) ack 4234213477 win 0

traslated to gate2 (10.0.1.20) bce0:
16:05:08.531149 IP 10.0.1.20.1731 > 88.99.100.5.80: S 3351163259:3351163259(0) win 16384 <mss 1460,nop,nop,sackOK>
16:05:08.531381 IP 88.99.100.5.80 > 10.0.1.20.1731: R 0:0(0) ack 3351163260 win 0

go to gate1 (10.0.1.1) em0:
16:10:07.703668 10.0.1.20.1964 > 88.99.100.5.80: S 338450095:338450095(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
16:10:07.703676 88.99.100.5.80 > 10.0.1.20.1964: R 0:0(0) ack 1 win 0 (DF)

and here stop it's route... I suppose...

sorry for messy explanation...

[phoenix]

You need to do the NAT for the web server on the incoming interfaces of both firewalls (in relation to the web server).

IOW, you need a NAT rule on gate1 (em1) that translates between the 88.99.100.x address and the 10.0.1.5 address for the web server. This handles all the traffic to/from the Internet.

Then you need a NAT rule on gate2 (bce1) that translates between the 88.99.100.x address and the 10.0.1.5 address for the web server. This handles all the traffic to/from the local network.

Better still is to implement proper split DNS, such that DNS requests from the Internet resolve to the 88.99.100.x address, and DNS requests from the local network resolve to a 192.168.4.x address (which is an alias on gate2 with 1-1 NAT for the web server).

[giagni]

Oh my gosh..... It's right!!!

Thankssssssssssss!

I was blind!

[phoenix]

Alternatively, if these are located in the same building, you can consolidate the two gateX boxes into a single firewall with three NICs: 1 connected to the Internet, 1 connected to the DMZ, 1 connected to the local LAN. Then you just write all your rules on a single box. Just be sure to write very specific rules, including the interface and direction (in recv em0 not via em0, for example).