NAT without virtual IP

Wolf
2011-05-20
2013-03-05
  • Wolf

    Wolf - 2011-05-20

    Hallo,

    I have two nodes cluster OpenBSD 4.9 using pfsync. I have evaluated fwbuilder to make some rules. Now I wanted to test NATing but fwbuilder does not create any rule.

    Every WAN iface of node has own IP, the WAN interface of cluster has both ifaces of node as members defined but not IP.

    If I define NAT rule to change source (translated src set to WAN iface of cluster) it does not create any rule for this.

    Does anyone has any idea why?

    Thank you for all hints.

    Regards,

    Wolf.

     
  • Vadim Kurland

    Vadim Kurland - 2011-05-20

    Here is how it is designed to work:

    the cluster object should have interfaces named "carp0", "carp1" etc. One of them gets mapped to the WAN inetrfaces of the cluster members using failover group object (this object is located under the cluster interface object in the tree). The cluster interface must have its own ip address, this is going to be the shared address used for the failover and this address is used for NAT when you place either cluster interface object or its address object in the NAT rule.

    Now, you say your cluster interface has no IP. If it has no IP, what address should the NAT rule use to translate packets ? What PF configuration do you expect the program to produce ?

     
  • Wolf

    Wolf - 2011-05-23

    Hallo,

    for my OSPF study and testing I have created simple network using two openbsd nodes as routers between "LAN" and "WAN" - I use 10.X.X.X networks in my environment, therefore "LAN" and "WAN'. I have tested only rotuing without firewalling. Then I wanted to test carp and pfsync, because we want migrate our productional firewall from Balabit Zorp to openbsd using carp and pfsync.

    For Linux I have read it is not possible to have both firewall nodes active (active-active configuration), because conntrackd does not support this till now. In the openbsd, pfsync can delay forwarding packets and replicate the connection state to the other node, therefore it is possible to have active-active node firewall configuration.

    Firewall configuration without NAT works fine with FWbuilder. But in productional installation I need to do NAT - of course with Zorp FW we have one shared IP and one own IP for every node and we will use it in openbsd installtion.

    I wanted only to know, if it is possible to do it using FWbuilder.

    You have two nodes, every node has own IP but they have no shared IP - they do not need. Firewall states are synchronized using pfsync. Packets comming from LAN from private range are SNATed to IP of the node, which has become the packet. Responses are sent back to the SNATed IP.

    I thought FWbuilder generates two different configration files to be able specify correct node IPs. In Zorp FW we can define cluster variable and for both nodes we define different IPs. During installation Zorp generates two different configuration files using the values defined in variable. I thought FWbuilder uses IPs of node A during generating config files for node A and then uses IPs of node B during generation conf files for node B.

    But, that is correct, FWbuilder does it! In my testing environment, I allow access to SSH to firewall IPs. I define only one rule with Cluster Firewall as destination. And FWbuilder generates following rules:

    =================================================
    wolf-r120a / Policy / rule 1
    # Tables: (1)
    table <tbl.r1.d> { 10.1.0.13 , 10.1.1.11 }

    pass in   quick inet proto tcp  from any  to <tbl.r1.d> port 22 modulate state  label "RULE 1 - ACCEPT "

    wolf-r120b / Policy / rule 1
    # Tables: (1)
    table <tbl.r1.d> { 10.1.0.14 , 10.1.1.12 }

    pass in   quick inet proto tcp  from any  to <tbl.r1.d> port 22 modulate state  label "RULE 1 - ACCEPT "

    For node A with WAN IP 10.1.0.13 and LAN IP 10.1.1.11 it generates table with these two IPs, and for node B it generates other table with own IPs. I expected the same functionality for NAT.

    IMHO if I create a NAT rule:

    orig src=LAN
    orig dst=any
    orig svc=any
    trans src=WAN iface
    trans dst=orig
    trans svc=orig

    it should generate for node A rule:

    match out on vic1 proto {tcp udp icmp} from 10.1.2.0/24 to any nat-to 10.1.0.13

    and for node B rule:

    match out on vic1 proto {tcp udp icmp} from 10.1.2.0/24 to any nat-to 10.1.0.14

    simply using the node A's and node B's WAN IPs same way as in firewall rules.

    Does it sound logic?

    Thank you for your opinion.

    Regards,

    Robert Wolf.

     
  • Mike Horn

    Mike Horn - 2011-05-23

    Right now we expect that you will use a VIP on the cluster interface if you configure a failover protocol.  You can work around this by using the solution described here

    http://www.fwbuilder.org/4.0/docs/users_guide/cluster_server_fw_synch_local_rules.html

    In your case you would create an empty NAT policy in the cluster and then add a NAT policy with the same name to each cluster member.  In the local NAT rules  you would use the _real_ interface from the member firewall.  Of course this means that you will have to maintain separate NAT policies for each member firewall which is not ideal.

    We'll review internally to see if there are some ways that we could enhance the current cluster support for active-active configurations as you describe.  In  your case can you confirm that you have the failover protocol set to None for the cluster interfaces?

     
  • Wolf

    Wolf - 2011-05-24

    Hallo,

    I see, cool. I thought that in the cluster configuration the Node Rules are not evaluated. But it's a good idea with local_rules. Thank you.

    I was  only surprised, that for Filter Rules are VIP and physical IPs for each node set, but not for NAT rules.

    Regards,

    Robert Wolf.

     
  • Mike Horn

    Mike Horn - 2011-05-24

    If you can send your data file to support@netcitadel.com we can take a look at it and see if there are some suggestions we might have.  I'm curious to see how you have your VIP setup since it sounds like you don't have a failover protocol enabled on the cluster interfaces.

     
  • Wolf

    Wolf - 2011-05-24

    Hallo,

    I do not want to waste your time:-) It was only question "what if". I did test network for my OSPF study. I wanted to test to setup OSPF to use different ways for outgoing and incoming connection.

    It means from LAN client to cluster-router 12A/12B with VIP (LAN default GW) to cluster-router 120A to server and back from server to cluster-router 120B to cluster-router 12A/12B to LAN client. It is only routing, no firewall and it works.

    Then I wanted to add firewalling. In our environment we use the same cost OSPF paths and therefore it is possible that packet can come to any of both routers. So I wanted to test active-active firewall configuration, which is (should be) supported by pf using pfsync. So I have configured  openbsd hosts with pfsync and firewall without NAT (because I use only my testing network). I have DMZ too in my testing network and there is used VIP with carp because we need only one IP as a gateway for DMZ. But for WAN and LAN we using OSPF so we can use own IPs and OSPF set the paths correct.

    But then I wanted test simply add NAT without VIP. It should simply SNAT outgoing traffic from routers 120A and 120B to their own "public" IP. In fact, in my testing environment, all outgoing packets are leaving through router 120A, so they should be SNATed to 120A "public" IP and therefore "answers" should go back to 120A "public" IP. But if the costs of the links to router 120A and 120B are same, the packet can leave both routers and could be SNATed to 120A or 120B own "public" IP. In this configuration I don't need VIP.

    I have tried to configure the NAT the same way as in cluster_server_fw_synch_local_rules.html described, but I am unable to do it somehow. Can you find out what I do incorrectly?

    Step 1 - Create a New Policy in the web-servers Cluster
    * I create new NAT policy called NAT-local in the cluster definition and leave it empty

    Step 2 - Create a New Policy in the web-03 server Object
    * I create new NAT policy called NAT-local (not top ruleset) in both nodes

    Step 3 - Define the Local Rule in the New Policy on the web-03 Firewall
    * I define the NAT rule on both nodes in the NAT-local policy
    orig src LAN
    orig dst any
    orig svc any
    trans src WAN (node interface)
    trans dst orig
    trans svc orig

    Step 4 - Set Up a Branching Rule in the Cluster Policy to Jump to the Local Policy
    * in the cluster NAT ruleset I define the first rule to branch to NAT-local (the cluster ruleset)

    Step 5 - Compile and Install Policy
    * If I compile the cluster config, the compiler writes :

    wolf-r120a:NAT-local:: warning: ignoring cluster rule set "NAT-local" because member firewall "wolf-r120a" has rule set with the same name.

    but the file wolf-r120a-NAT-local.conf is empty. I have tried to delete top NAT rules of both nodes, to set NAT-local as "top ruleset" in both nodes, but nothing helped.

    I will send you the testing configuration but this case is not so important like the other case with crashing fwbuilder.

    Thank you for your interest.

    Regards,

    Robert Wolf.

     
  • Mike Horn

    Mike Horn - 2011-05-24

    What happens when you compile the rule in NAT-local on one of the member firewalls by selecting the rule and right-clicking and then selecting Compile Rule?  You should see the generated PF command in the bottom editor panel.  I ran a quick test here and the files for NAT-local on the member files have the right commands in them.

     
  • Wolf

    Wolf - 2011-05-25

    Hallo,

    ehm, of course, the NAT solution with node-local NAT table and branching from cluster NAT works.

    To solution: disable IPv6 in the NAT table.

    Vadim sent me info about my bugreport (crashing fwbuilder on NAT rule compilation) and the problem is in the situation if the NAT rule is IPv4+IPv6 but there is not IPv6 address set. And the same configuration I have made in this testing config.

    Now I have disabled the IPv6 and set "This is IPv4 rule set" for all NAT tables and it works!:-)

    Thank you for solution with node-local rule sets.

    Regards,

    Robert Wolf.

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks