SNAT from Trusted

It would be nice to have the ability to create an SNAT action for trusted networks, (or to go one step further, an SNAT action that applies to all interfaces).

I've been playing around with some plans for VLAN segregation and a graylog server lately, and one thing I thought would be clever would be to configure all devices that send logs to use the gateway address as the log server IP, and let the firewall static NAT it to the graylog server wherever it happens to be. That way, the firewall can act as gateway, DNS forwarder (for VLANs with no dedicated DHCP/DNS server), NTP server, and also as a faux target syslog server.

Additionally, since binding to port 514 is a little quirky with graylog due to the way inputs are configured as non-root, an SNAT would allow me to redirect port 514 to the graylog input port for syslog.

So a policy example would be From:"Any-Trusted,Any-Optional" To:"SNAT->Any:514->mylogserver.mydomain.com:1514"

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Chris_Kelly

    You can do this. See the article here.

    (NAT Loopback and Static NAT (SNAT))
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/nat/nat_loopback_static_c.html

    -James Carson
    WatchGuard Customer Support

  • Hi James,

    Thanks for that - I use NAT loopback on some SNAT policies already for some internal services that are also internet accessible, but it would be a lot nicer to be able to specify the gateway address rather than a public IP for internal-only services.

    Is there a technical reason that SNAT is not allowed to come from trusted interfaces?

    Cheers,
    -Chris

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi Chris,

    You can use SNAT loopback for just trusted.

    The rule would read

    From: Any-Trusted
    To: (SNAT) (external/optional IP or alias -> internal IP)

    If you were using a trused IP, you can alrady access the policy by using that IP, there's no need to use NAT loopback.

    -James Carson
    WatchGuard Customer Support

  • edited July 2021

    I think one of us is missing something here.

    If I could create an SNAT action that listens on a trusted interface address, i could do something like this:

    Firewall Addresses (mock-ups):

    External-1: 80.90.100.101
    External-2: 80.90.100.102
    VLAN (VLAN10)-Trusted: 10.0.10.1
    VLAN (VLAN11)-Trusted: 10.0.11.1
    VLAN (VLAN12)-Trusted: 10.0.12.1
    VLAN (VLAN13)-Optional: 10.0.13.1

    If I'm configuring a network switch that's in VLAN10, and the syslog server is in VLAN11, I'd like to configure the switch with the following settings:

    ip: 10.0.10.2
    gateway: 10.0.10.1
    dns: 10.0.10.1
    ntp: 10.0.10.1
    syslog: 10.0.10.1 <-- same address as all other services that the firewall either provides directly, or forwards to where it actually lives.

    this scheme would be consistent in all VLANs, where any device would simply use that VLAN's gateway address for syslog, as well as DNS/NTP. E.g. a security camera system in VLAN12 would be configured thusly:

    ip: 10.0.12.2
    gateway: 10.0.12.1
    dns: 10.0.12.1
    ntp: 10.0.12.1
    syslog: 10.0.12.1

    Correct me if I'm wrong, I currently need to do this for any device in any VLAN:

    ip: 10.0.xx.2
    gateway: 10.0.xx.1
    dns: 10.0.xx.1
    ntp: 10.0.xx.1
    syslog: 80.90.100.101 <--- this is less desirable

  • currently syslog : needs to be the real IP addr of the syslog server or if using SNAT, the public IP addr that can access the syslog server.

  • Just to circle back, syslog (for me) is just the flint that sparked the question. I see utility in being able to use the gateway address for lots of things.

    The enhancement request is more generally for SNAT actions that can listen on trusted interface addresses (plus an option to listen on all firebox address).

    Cheers!

Sign In to comment.