Many thanks for your advice. Your instincts were helpful and correct.

It was a config problem with Asterisk the eternip variable being incorrectly set to an IP address. Setting it to my dyndns hostname resolved issue.

+1 for mRemoteNG. Makes managing devices so simple.

@jimp:

Probably your PBX does not have the VPN remote network set as a "local" network so it's putting its own public IP in the VIA headers.

So… not the firewall, a PBX config issue.

YES! Thank you! That solved my problem.

NAT is usually for outgoing, port forward for incoming.  You need to create a few port forward rules that map a specific public IP address and port to an internal IP address and port (Firewall - NAT - Port Forward)

If I remember correctly, I had to go through this same thing. I'm pretty certain firewall rule(s) will need to be put in place allowing the subnets to access the internet. It should just be rules connecting the interfaces to the wan interface. Then again, someone else may have a different solution.

Hmmm…  Maybe I'm on to something here.

If I run tcpdump on the bridge interface while attempting the connection, I see this:

16:33:25.603399 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has x.x.x.222 tell 0.0.0.0, length 50 16:33:26.714153 IP (tos 0x0, ttl 64, id 12716, offset 0, flags [DF], proto TCP (6), length 60)     x.x.x.211.59721 > x.x.x.222.22: Flags [s], cksum 0x210a (correct), seq 2823335170, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val 753592721 ecr 0], length 0 16:33:29.914115 IP (tos 0x0, ttl 64, id 12731, offset 0, flags [DF], proto TCP (6), length 60)     x.x.x.211.59721 > x.x.x.222.22: Flags [s], cksum 0x148a (correct), seq 2823335170, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val 753595921 ecr 0], length 0 So it looks like my reflections are reflecting, but rather than the packets hitting the virtual IP, they are heading out the bridge.[/s][/s]

Yes locking the forward rule down to their source IP would be one way to do it.  Changing ports is not reallly security – famous quote "security through obscurity is not security"

If looking to reduce logs, then sure changing ports can reduce those.  But you would be better off making sure your ssh is secure - say for example only allow public key auth.  Don't even allow passwords.  On the host put in something like fail2ban so that at most your logs will only have say 4 entries before the host blocks that IP, etc.

Just so everyone knows how this was resolved, I just didn't have the proper order to my Manual Outgoing Nat rules.

I had my outgoing nat rule at the bottom instead of the top. Because of this, the nat rule above it over wrote things. I created alias's for all the ip's I needed to use with nat and then created an outgoing nat rule for the application server that said "anything heading from appsrv0 to any, translate from appsrv0 to wanip2". I then moved it to the top of the outgoing nat rules and voila.

Hopefully this will help the next guy.

Thanks for the explanation.  I would hazard a guess that you should be able to redirect all internet traffic from the Germany LAN through the IPSEC.

Unfortunately this is well outside my expert zone (if I even have one).

Hopefully someone else can chime in with some pointers in the right direction.

i know what instead of NAT 1:1 i will add is as a "port forward" and add my additional WAN ip in the "destination" so it uses that ip address

is that right or wrong?

Hi,

OK, just to close the loop .. updated to the latest version, and after reboot it started working.

Thanks so much for all the help!!!

Hi johnpoz

Thank you! just got it working  :D

To answer your question: I need that NAT to be able to use the unblockus service with my chromecast device which is hardcoded by google to
use 8.8.8.8 and 8.8.4.4 so it's kind of a work around.

I just could't figure out how to build the NAT rule in the gui, so ones again thanks for your help  :)

Kind regards
Jan

I have attached how it is currently "working" with only the local subnet redirecting any traffic to the second WAN for mail server only.

All I want at this point to redirect any request for the mail server IP to the mail server from any internal clients.

Gateways.JPG
Gateways.JPG_thumb
NAT.JPG
NAT.JPG_thumb
Routes.JPG
Routes.JPG_thumb

@Harvy66:

KPA mentioned OpenVPN. Use a tap VPN interface to bridge. It will effectively create a single broadcast domain tunneled over the Internet.

sounds good but I have no idea how to implement it. Fancy doing it for $100 ? drop me a pm.

Have you checked out these links?

https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting
https://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks

Helped me.

For some reason the IP address I used initially wouldn't connect to the remote side. I changed the IP and we now have a working tunnel, except that the remote side cannot ping nor communicate with mine via NAT. I can ping and talk to their side, but not them to mine.

I have IPsec firewall rules that allow everything just to eliminate that part.

IPv4 TCP/UDP * * * * * none    
IPv4 ICMP * * * * * none

I have an IPsec NAT:

IPsec X.X.X.X 192.168.125.193 192.168.22.193

For Phase 2 I have:

Local Network: LAN Subnet
NAT/BINAT: Address 192.168.125.193
Remote Network: 192.168.3.14

The remote side has a subnet on their LAN the same as our 192.168.22.0/24 so we need to NAT 192.168.125.0.

Is there something really obvious I'm missing? I feel dumb and frustrated.

Cheers, got it working now after enabling NAT Reflection.