RDR with NAT

Murus
Post Reply
BrandonNC
Posts: 9
Joined: Tue May 12, 2015 4:08 am

RDR with NAT

Post by BrandonNC » Tue May 12, 2015 4:36 am

Hi all, new Murus Pro user here.

Could someone describe the process of setting up Murus to NAT a single incoming port to another host? I figured out how to add a custom RDR rule but (I think) since the internal host I'm ultimately trying to get too doesn't know how to get back to my source host, it's not working properly. How would I use my rdr rule but also NAT the connection to the Murus PC's interface IP (since the Murus machine knows how to get to both hosts)?

Thanks!

hany
Posts: 480
Joined: Wed Dec 10, 2014 5:20 pm

Re: RDR with NAT

Post by hany » Tue May 12, 2015 2:38 pm

assuming you are using Murus to run a dual homed router and you want to "export" a service running on an internal host (LAN side) to the WAN side then it is not necessary to use custom rules. You have to create a custom service for that port (if there is no corresponding default service) then put this service into Inbound Managed Services, then check the "forward to nat client" option and put the local IP address.

BrandonNC
Posts: 9
Joined: Tue May 12, 2015 4:08 am

Re: RDR with NAT

Post by BrandonNC » Tue May 12, 2015 9:33 pm

The machine isn't dual homed, will that matter?

The setup is:

External Host (5.5.5.5) -> VPN Firewall -> Murus Box (10.1.1.1) -> Firewall -> Internal Host (192.168.1.1)

The "VPN Firewall" and the "Firewall" above are both the same cisco device. The external host establishes a VPN tunnel over the internet which gives them access to the 10.1.1/24 subnet, which includes the Murus box. The Murus box itself has a default gateway pointing to the cisco firewall, and that firewall allows the Murus box to get to internal hosts on the 192.168.1/24 subnet. By itself, the external host can't get to the internal host, so I'm trying to set up a port on the Murus box (lets say port 2200), which will forward traffic from 5.5.5.5/32 to 192.168.1.1/32 on port 22.

I can accomplish this with the following pure pf rules:

nat on en0 from 5.5.5.5/32 to any port 2200 -> en0
rdr pass inet proto tcp from any to any port 9002 -> 192.168.1.1 port 22

This works fine without the Murus ruleset loaded, but as soon as I add those rules to Murus using custom firewall rules, something else (I imagine) in the Murus config prevents it from working.

I just tried to create the custom service as you suggested (I used port 2200/TCP as the service port, and checked the "Forward service to NAT client" box, and set those options to forward to 192.168.1.1 and port 22, however I get connection refused from the 5.5.5.5 box as soon as I try to telnet to the Murus box on port 2200, and a tcpdump on the Murus box shows the mac/Murus sending a TCP RST packet to the 5.5.5.5 machine after the initial SYN packet.

BrandonNC
Posts: 9
Joined: Tue May 12, 2015 4:08 am

Re: RDR with NAT

Post by BrandonNC » Tue May 12, 2015 9:42 pm

Another note, using my own two custom pf rules with Murus gives me the following in a tcpdump:

17:37:20.431728 IP 5.5.5.5.52304 > 10.1.1.1:2200: Flags [S], seq 2241385707, win 29200, options [mss 1334,sackOK,TS val 1401198315 ecr 0,nop,wscale 7], length 0
17:37:20.431782 IP 5.5.5.5.52304 > 192.168.1.1.22: Flags [S], seq 2241385707, win 29200, options [mss 1334,sackOK,TS val 1401198315 ecr 0,nop,wscale 7], length 0

These SYN packets just keep repeating since no SYN-ACK is received.

However, when I turn off Murus (flush all rules) and use my own rules by themselves, everything works fine and shows:

17:39:00.883090 IP 5.5.5.5.52309 > 10.1.1.1.2200: Flags [S], seq 3306273728, win 29200, options [mss 1334,sackOK,TS val 1401223428 ecr 0,nop,wscale 7], length 0
17:39:00.883205 IP 10.1.1.1.40773 > 192.168.1.1.22: Flags [S], seq 3306273728, win 29200, options [mss 1334,sackOK,TS val 1401223428 ecr 0,nop,wscale 7], length 0
17:39:00.884009 IP 192.168.1.1.22 > 10.1.1.1.40773: Flags [S.], seq 732306906, ack 3306273729, win 28960, options [mss 1334,sackOK,TS val 1772673446 ecr 1401223428,nop,wscale 7], length 0

As you can see, the problem when I use my own nat and rdr-pass rules in Murus is that the NAT rule seems to be ignored, and since the host at 192.168.1.1 doesn't know how to get back to 5.5.5.5 the return traffic gets lost.

hany
Posts: 480
Joined: Wed Dec 10, 2014 5:20 pm

Re: RDR with NAT

Post by hany » Wed May 13, 2015 10:59 am

wow, that's far from being easy :D
Let me do some test I will answer you asap.

hany
Posts: 480
Joined: Wed Dec 10, 2014 5:20 pm

Re: RDR with NAT

Post by hany » Wed May 13, 2015 11:25 am

Ok, this is probably the most interesting question in Murus history, so I hope to be able to understand your needs and help you.
I must admit that your situation is not 100% clear to me, probably because of my lack of experience with NAT. So I'm going to ask you to clarify me something.
Another note, using my own two custom pf rules with Murus gives me the following in a tcpdump:[...]
These SYN packets just keep repeating since no SYN-ACK is received.
How do you issue these rules in Murus? Do you select the "Disable Murus Pro core" option in Preferences - Advanced, or not?

This option is used to ignore all "graphic" options in Murus and let you enable a manual ruleset. Please try it and let me know.

BrandonNC
Posts: 9
Joined: Tue May 12, 2015 4:08 am

Re: RDR with NAT

Post by BrandonNC » Fri May 15, 2015 3:12 am

Sorry for the delay. It seems like I've gotten this to work by checking the "Share my Internet Connection" in the NAT config window. This added a "table <NatLanInterfaces> { en0 }" rule to the configuration which somehow seems to have fixed my problem. My rules now look like:

Code: Select all

...
(all of the Murus core rules, including a few rules I added from the GUI)
...
table <NatLanInterfaces> { en0 }
nat on en0 from 5.5.5.5/32 to 192.168.1.1 -> en0
rdr pass inet proto tcp from 5.5.5.5/32 to 10.1.1.1/32 port 2200 -> 192.168.1.1 port 22
I am not quite sure why the "table <NatLanInterfaces> { en0 }" made this work, since I can flush all murus rules and only use the "nat on" and "rdr pass" rules in a clean pf ruleset.

My question is, what does "Share my Internet Connection" actually do? Does this open me up to anything? I want to be sure that having this option enabled doesn't allow any traffic through that I am not aware of.

hany
Posts: 480
Joined: Wed Dec 10, 2014 5:20 pm

Re: RDR with NAT

Post by hany » Sat May 16, 2015 12:40 pm

My question is, what does "Share my Internet Connection" actually do? Does this open me up to anything? I want to be sure that having this option enabled doesn't allow any traffic through that I am not aware of.
Murus by default adds a nat-anchor named murus.nat and an rdr-anchor named murus.rdr.
When a Murus ruleset is enabled, NAT PF rules must go into the nat-anchor, RDR PF rules must go into the rdr-anchor.
There are 2 ways to add NAT and RDR rules in Murus.

1) Using custom rules you MUST check the "Disable Murus Pro core" in Murus Preferences - Advanced. You MUST use custom manual rules (that is: you have to manually type the PF rule clicking the gear icon in the Custom Rules popover). NAT rules will be automatically put into the nat-anchot, RDR rules into the rdr-anchor.

2) Using Murus interface, NAT window, activating NAT. To activate NAT you have to check the "Share Internet Connection" checkbox in NAT window. This will automatically create the needed NAT PF rules and automatically put them in the right place. It will also put PF filtering rules according to your NAT Groups settings, if any.
By default Murus tries to separate traffic coming from NAT clients and targeting the router LAN side from traffic coming from NAT clients and targeting the Internet. This is achieved using a specific PF table named <NatLanInterfaces>, putting inside this table all interfaces defined as "LAN" in Murus NAT window.

Your first attempt to start NAT was not working because you added custom nat rules without checking the "Disable Murus Pro Core".
Your second attempt worked because checking the "Share Internet Connection" checkbox automagically makes everything work :P

Please let me know if you need a more deep explanation or if you need more help :)
P.S.
using the provided runtime PF rules browser will help you a lot understanding what's happening, please keep it always open when troubleshooting

BrandonNC
Posts: 9
Joined: Tue May 12, 2015 4:08 am

Re: RDR with NAT

Post by BrandonNC » Tue May 19, 2015 12:22 am

I think I mostly understand, however it should be noted that I still could not get to my internal server from home until I added my own rdr rule, so note quite automagic hehe.

Post Reply