[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Is dual NAT possible ?
I have a question regarding rather well known problem where machines on
the network behind the firewall try to access a web server located on
the same LAN using its translated address. The firewall provides NAT
using rdr rule, so machines on the Internet can access this web server.
Users on the same LAN may want to connect to it using translated
address (may be because administrator did not want to set up split
DNS). The problem is that rdr rule does not change the source address
in the packet, so the web sever replies directly to the client on the
same LAN. The client sees TCP ACK coming from the server's real IP and
does not recognize it, since it sent TCP SYN to a translated IP. The
connection can not be established.
It seems the problem can be solved by adding yet another NAT rule to
the firewall, this time a "nat" rule to translate source IP. Something
rdr proto tcp from any to $ext_address port 80 -> $web_server port 80
nat on ep1 proto tcp from $int_lan/24 to $web_server -> $ep1_addr
"ep1" is an interface connected to internal LAN.
The idea is that PF would perform translation twice on the same packet.
First time it would translate destination; this would happen for
packets coming from the Internet _and_ for packets coming from internal
LAN. Once destination address of the packet has changed, it would match
the second rule (if it comes from internal LAN) which should translate
its source address.
I expected this to work; looking at the nice PF flow chart at
http://mniam.net/pf/pf.png I thought it should. My understanding is
that PF runs packets through the rule set twice - once when it enters
the firewall and another time when it exits it.
Unfortunately the combination of these two NAT does not work for me.
Tcpdump shows that the "nat" rule never works.
What I am doing wrong ?
P.S. I know that setting up split DNS solves the problem. Let's say I
have a case where it can't be done.