topic Re: PBR/PBF to DMZ then Internet in General Topics

PBR/PBF to DMZ then Internet

Flang3r — Mon, 27 Jun 2022 11:20:51 GMT

Greetings!

As title suggests, I'm trying to implement PBF to the specific destination network in Internet through a server residing in DMZ. There are three zones configured:

Inside 10.0.5.0/24 - from where traffic is initiated
DMZ 10.0.22.0/24 - where intercepting server is connected. Plain Linux with net.ipv4.ip_forward = 1
Outside 2.2.2.2/30 - facing Internet with single connection (upstream BGP router in this case)
Interesting destination network 203.0.113.0/24

PBF rule matches source and destination IP networks (10.0.5.0/24 => 203.0.113.0/24) and works as intended. In traffic log I can see my requests being rerouted from Inside to DMZ and tcpdump on server surely shows connections from 10.0.5.0/24 network.

The problem occurs when server itself tries to reach to the actual destination network. Either NAT is not happening during forwarding or something else is discarding traffic in firewall. I can see retransmissions happening before the session is dropped.

Tried srcnat with unused IP from my BGP pool (routed from upstream to firewall which works in normal routing flow between zones) in both INSIDE to DMZ or DMZ to OUTSIDE flows. From Inside to DMZ flow it happens and I can see my internal network already NATted to public IP in server's tcpdump, but connection still fails.

From what I understand, in this scenario firewall sees traffic from 10.0.5.0/24 but sourced from DMZ zone. Could there be something like uRPF mechanism kicking in? There are no errors in traffic log either.

Re: PBR/PBF to DMZ then Internet

aleksandar.astardzhiev — Mon, 27 Jun 2022 13:41:51 GMT

Hi @Flang3r ,

The main problem is that your Linux host in the DMZ is just forwarding the received packet. There are actually couple of reason this willl not work:

- As you correctly assume uRPF or anti-spoofing protection will drop the traffic when it sees that packet is ingresing on DMZ interface, while the source address is from the Inside zone.

- Return traffic will not be forwarded to DMZ, instead directly to Inside, which will cause the return traffic to have different egress interface and probably not match the session in the firewall session table.

You need to use source NAT on the Linux host, which will translate the original source IP of the host in the Inside zone, either to the Linux host DMZ IP, or any other available IP address in the DMZ network.

After that you will need proper NAT to translate that address to public one and also security rule for allowing the private IP in the DMZ network ( source zone DMZ) to internet.

Re: PBR/PBF to DMZ then Internet

Flang3r — Mon, 27 Jun 2022 13:50:58 GMT

Thank you for the reply. That's exactly what I've ended up doing. MASQUERADE on the Linux server with its own IP for specific source networks (ingress via PBF) and then srcnat of that DMZ IP to Outside on PA. I can observe two sessions per flow, one to the server and another corresponding flow from the server.