Author Topic: [SOLVED] SNAT versus Port Forwading  (Read 17333 times)

Lonniebiz

  • Zen Samurai
  • ****
  • Posts: 320
  • Karma: +24/-2
    • View Profile
[SOLVED] SNAT versus Port Forwading
« on: June 25, 2013, 03:41:37 pm »
Can someone please point me to the documentation that will provide me a more complete conceptual understanding of SNAT as it is used under the Firewall menu of Zentyal?

When you add a SNAT, these fields are requested:
1) SNAT address
2) Outgoing interface    
3) Source
4) Destination
5) Service    
6) Log

Let say I have public IP 55.55.55.55 and I want a private IP 192.168.0.5 to serve all traffic for that public IP. When someone tries to go to 55.55.55.55, I want that traffic sent to 192.168.0.5, and when 192.168.0.5 uses the internet I want the internet to see it as 55.55.55.55. So, what would I put for the SNAT address, Source, and Destination in this example?

Also, please compare SNAT to Port forwarding. Are these just two different ways of allowing private IPs to serve public IPs? If so, under what circumstances do you suggest using one over the other?
« Last Edit: July 04, 2013, 01:03:21 pm by Lonniebiz »

jbahillo

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1444
  • Karma: +77/-2
    • View Profile
Re: SNAT versus Port Forwading
« Reply #1 on: June 26, 2013, 01:53:36 pm »
Hi Lonniebiz:

I think the best way of understanding SNAT is having an equivalence:

DNAT (standard /destination NAT or portforwarding): Incoming NAT
SNAT (source nat): outcoming destination.


Case where you don't need snat: Your zentyal has an eth0 with a single public IP (or behind a router which still has a single public IP), and you have a , say, webserver behind that Zentyal. Then you will only need DNAT for allowing incoming packages to get redirected to that webserver. You don't have to care about the outgoing ones as they will go out (as every package) through that public IP

This would be different if eth0 has two or more public IP's. Say x.x.x.x and y.y.y.y. Let's say that standard  traffic goes out through x.x.x.x, but requests to the webserver come acros y.y.y.y IHere you need SNAT to do NAT1:1, in a mirror way, as if you only set  DNAT packages will arrive from y.y.y.y to the server but will go out through x.x.x.x (which the original requester knows nothing about)

Then you have to use here DNAT for the incoming packages on y.y.y.y so they are send to - say 172.16.10.10, and SNAT so outgoing packages from that 172.16.10.10 go through y.y.y.y


Hope to have given you some approach (there will for sure be others) that allow you to understand this.

Lonniebiz

  • Zen Samurai
  • ****
  • Posts: 320
  • Karma: +24/-2
    • View Profile
Re: SNAT versus Port Forwading
« Reply #2 on: June 26, 2013, 11:22:37 pm »
Thanks for taking the time to articulate this.

I do indeed have multiple IPs and I have setup a SNAT for a server that doesn't use the non-virtual interface IP. It is working fine, but I do have one more question.

When you set up a SNAT, one of the form field entries is "destination". I set that to "Any". Can you think of a circumstance that you would set that to anything other than "Any"?

jbahillo

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1444
  • Karma: +77/-2
    • View Profile
Re: SNAT versus Port Forwading
« Reply #3 on: June 27, 2013, 07:29:29 pm »
Hello  Lonniebiz:

I can think of a case where some internal tool connect to some customer server, which is secured allowing just connections from one IP. Let's say that your net goes through x.x.x.x but that you need that an app running in machine 172.16.2.50 connects to 1.1.1.1 customer machine, which only allows connections from y.y.y.y.

Then, logically you won't make all your net pass through that second IP, you'll reserve it for this customer app connections, and the rest of connections from your lan will go through x.x.x.x

half_life

  • Bug Hunter
  • Zen Hero
  • *****
  • Posts: 867
  • Karma: +59/-0
    • View Profile
Re: SNAT versus Port Forwading
« Reply #4 on: June 28, 2013, 12:41:05 am »
I have a use case on my system.  I have a tomcat server running internally that I provide vehicle location information to the general public with.  I port forward from my external interface to allow access.  I have a link on my website that points to that redirected port.  To achieve the same functionality on the local network I need to use snat.  Think of it this way, 

I click on the link from my website (zentyal server)
It port forwards to my internal tomcat server.
The tomcat server responds to me directly
My browser is not waiting for a connection from the internal server since it sent the request to the gateway machine.  It therefore ignores it.  With snat the response is routed back through the gateway to the requesting machine.


christian

  • Guest
Re: SNAT versus Port Forwading
« Reply #5 on: June 28, 2013, 06:51:16 am »
half-life: that's exactly what I understand from SNAT purpose. Capability to change source address so that packets return to another route or destination.

This being said, am I correct thinking that is pages were served by your web server accessing Tomcat application or, similar approach, if you were using reverse proxy, such SNAT would not be required  ???

half_life

  • Bug Hunter
  • Zen Hero
  • *****
  • Posts: 867
  • Karma: +59/-0
    • View Profile
Re: SNAT versus Port Forwading
« Reply #6 on: June 28, 2013, 07:17:45 am »
That would be correct.  Reverse proxy is in simplest terms rewriting the header information to change source and destination as it flows into and out of the proxy.  If I were running two internal web services open to the public it would behoove me to setup a reverse proxy for management reasons.  Being as it is only one service it was just as expedient to do it this way.  Long term I expect to return to a proxy setup for work (Cherokee) but for right now what I have works.   Have a look if you are curious.   www.gltconline.com.  The bus locator is the service that is running on tomcat.  Don't beat up on me too much,  I am a photographer not a graphic artist ;-)

christian

  • Guest
Re: SNAT versus Port Forwading
« Reply #7 on: June 28, 2013, 07:31:47 am »
Nice web site  ;)
I like the "Liberty loop CW". I never though about loop as a straight line  ;D (joking)

My point with either reverse proxy or web site was not to challenge your design but to make other users thinking about difference between application running at the border of your intranet/internet infrastructure versus forwarding that is opening your border (kind of hole in the wall) for external connections.

But this is not the point of this thread and your example is, again, 100% what I have in mind when thinking about SNAT.

half_life

  • Bug Hunter
  • Zen Hero
  • *****
  • Posts: 867
  • Karma: +59/-0
    • View Profile
Re: SNAT versus Port Forwading
« Reply #8 on: June 28, 2013, 10:51:35 pm »
What can I say,  the previous AGM didn't take the time to generate shape files for the routes so there are errors like this in several places.  I have it on my plate to fix these things probably next month.  It isn't really a loop as much as it is a circulator anyways.

Lonniebiz

  • Zen Samurai
  • ****
  • Posts: 320
  • Karma: +24/-2
    • View Profile
Re: SNAT versus Port Forwading
« Reply #9 on: July 02, 2013, 10:13:30 am »
half_life,

I think I'm going to try that SNAT technique you mentioned. Here's why:

I have serveral websites on multiple IPs that are being served by a non-zentyal-web-server that is sitting behind the Zentyal gateway.

Although these websites are currently accessibility to the world wide web (due to port-forwarding and SNAT), they're not accessible on the local lan.

Since Zentyal is not the authoritative DNS for these sites, one way to solve this problem is to add a DNS entry for each site that points to the local IPs for each site. Because all local machines are using the Zentyal gateway, request to these site would then go directly to the webserver after Zentyal tells the local ip.

However, this approach is a bit of a burden; although there are only 3 public IPs involved, there are over 40 domains to do this for!

Therefore, I'm going to try to use your SNAT suggestion instead, and because of this, I may be able to reduce this work to about 3 entries. What do you think?

Any additional comments as to the exact way you set that up for tomcat would be appreciated.

christian

  • Guest
Re: SNAT versus Port Forwading
« Reply #10 on: July 02, 2013, 10:30:24 am »
either I don't understand your design or you don't understand SNAT
If you want to access local web server from local machines but lack of DNS entry, I really don't see what SNAT will bring, except extra complicated path between clients and servers  :-\

Adding 3 DNS record is a matter of seconds while implementing SNAT has much more side effects, even if it sometimes help a lot solving routing issues.

Well, it depends on how you are accessing Tomcat. As discussed with half_life, if you have front-end web server that is not really front-end but redirecting requests to Tomcat, for sure you may face issue that can be solved using some NAT/SNAT approach (but in such case, DNS will not help).
Another approach is to access Tomcat from front-end Apache (e.g.) web server that is building pages from application server and sends it back to end-user (hint: mod_jk)

half_life

  • Bug Hunter
  • Zen Hero
  • *****
  • Posts: 867
  • Karma: +59/-0
    • View Profile
Re: SNAT versus Port Forwading
« Reply #11 on: July 02, 2013, 02:17:27 pm »
You have 40 domains and only one port 80.   My friend that is what I meant when I was talking about "management reasons".  You are a strong candidate for reverse proxy.  Nginx. Apache or Cherokee will do what you need.

christian

  • Guest
Re: SNAT versus Port Forwading
« Reply #12 on: July 02, 2013, 03:25:24 pm »
Although these websites are currently accessibility to the world wide web (due to port-forwarding and SNAT), they're not accessible on the local lan.

Can you please provide more technical detail describing why SNAT helps accessing these internal web sites from internet.
I strongly believe that such detailed explanation will help you to decide whether this technology is the right one for you or not.

Lonniebiz

  • Zen Samurai
  • ****
  • Posts: 320
  • Karma: +24/-2
    • View Profile
Re: SNAT versus Port Forwading
« Reply #13 on: July 02, 2013, 10:19:47 pm »
I'm using port forwarding to ensure that a request made to a particular public IP gets routed to the correct internal IP on port 80.

The windows-web-server is behind the Zentyal gateway and answers for 3 private IP addresses (192.168.0.5, 192.168.0.6, 192.168.0.7)

The Zentyal server has one public IP address for itself (on its external interface), 55.55.55.54 and three more public IPs on it via external virtual interfaces: 55.55.55.55, 55.55.55.56, 55.55.55.57.

There are 40+ domains being hosted on the windows web-server. The most important domain has an IP all to itself 55.55.55.55 (as a search engine optimization attempt), while most of the other site share the same public IP 55.55.55.56. Lastly, there is another sub-domain that only does SSL, and it is on the third IP 55.55.55.57.

The reason, I'm using SNAT, is because if a request is made for a particular IP, I want the web-server to reply as though its only IP is the one to which that request was requested. I don't want a user to request a webpage on one IP, and receive a reply from another IP.

For example, if a request is made to 55.55.55.55, port forwarding will send that to 192.168.0.5. When the window's web-server replies, SNAT converts its source IP from 192.168.0.5 back to 55.55.55.55. When the user receives the page, source is 55.55.55.55 as the user would expect.

If a request is made to 55.55.55.56, port forwarding will send that to 192.168.0.6. When the window's web-server replies, SNAT converts its source IP from 192.168.0.6 back to 55.55.55.56. When the user receives the page, source is 55.55.55.56 as the user would expect.

If a request is made to 55.55.55.57, port forwarding will send that to 192.168.0.7. When the window's web-server replies, SNAT converts its source IP from 192.168.0.7 to 55.55.55.57. When the user receives the page, source is 55.55.55.57 as the user would expect.

All this is setup an working for all 40 websites. From the web, you can access them all, just as described above.

My remaining task is to discover the least step-intensive way, to also make all 40 website resolve from any machine that requests them "INSIDE the LAN".

I don't want to have to add 40 DNS entries to do this.

I do not want to create custom host files for each machine in the LAN.

Ideally, I want to create 3 "rules" (which might not be the technical term... maybe it's "routes", not sure) that tell Zentyal, if an internal IP request one of the public IP's on Zentyal's virtual interfaces, forward that request to a particular interal IP.

For example, if 192.168.0.3 tries to go to 55.55.55.55, I want Zentyal to send that to 192.168.0.5, because 55.55.55.55 maps to 192.168.0.5 already for requests coming from the internet, so need to map that same way for internal IPs requesting 55.55.55.55 too.

For example, if 192.168.0.5 tries to go to 55.55.55.55 (which is ultimately itself), I want Zentyal to send that to 192.168.0.5 (back to itself), because 55.55.55.55 maps to 192.168.0.5 already for requests coming from the internet, so need to map that same way for internal IPs requesting 55.55.55.55 too.

I hope I'm making myself clear enough (even if it sounds crazy) for you all to offer suggestions.

christian

  • Guest
Re: SNAT versus Port Forwading
« Reply #14 on: July 02, 2013, 10:58:40 pm »
Thank you for this long and detailed explanation.
However, I give up because I still don't understand.
I'm confused with what you call "domain" and also confused with the
Quote
The reason, I'm using SNAT, is because if a request is made for a particular IP, I want the web-server to reply as though its only IP is the one to which that request was requested. I don't want a user to request a webpage on one IP, and receive a reply from another IP.

As you have 3 public IPs plus forwarding to 3 internal web servers, how could request to one IP receive answer from another one ?
Furthermore, except if you are using IP addresses in URLs, how could internal IP be known to external user and generate any confusion ?

Based on your explanation, I believe (well, I hope) web sites are not bound to all 3 virtual IPs isn't it?

Regarding the "domain" concept, I know you're not faulty. This is more a Microsoft and commonly accepted naming convention to use "domain" for a web site. But this is a wrong short-cut and bad habits.
You may have 40+ web sites and I don't know how many domains built using this model (extract for Wikipedia)
Code: [Select]
The domain name is a component of a Uniform Resource Locator (URL) used to access web sites, for example:

    URL: http://www.example.net/index.html
    Top-level domain name: net
    Second-level domain name: example.net
    Host name: www.example.net

This is not nitpicking  ;) and it may make your life quite easy once understood because your 40+ web sites may result in only, almost, CNAME records that are pretty easy to manage (not need, as you write, unless if you have specific needs, to maintain local host files) .

So, as a matter of conclusion, I can't really help as I'm not on the same track ans very confused with your approach. My feeling is that you perhaps face problem because your unique web server is service same content on all IPs (primary and virtual IPs) therefore the risk for receiving wrong content and tentative to control it using SNAT as if web server was sending back it's IP instead of URL made of host+domain.

But I might be totally wrong  :-[