@perdong: sorry i can't get your picture. what is it that you want to come up with? I guess, technically, I should refer to the many to 1 NATing used in the Outbound NAT feature as what it really is – PAT (Port Address Translation).  Since I've configured several LANs to do PAT to a single address (for the sake of simplifying this discussion) - I'm curious about the possibility of a port number collision on those translations.

try this; System > routing > route. enjoy!

yes possible. main router as your gateway. eth0 - public ip #1 ethx - public ip #2 optx - public ip #n good luck, the fun side is in the route settings ;-)

Thank you, that worked perfectly!

Hello, ok, I found out the problem! My raspberry pi had a firewall that I didn't know about! :-$ it was blocking my traffic from the vpn! Information to any one with similar problems! Cheers

Many thanks for your advice. Your instincts were helpful and correct. It was a config problem with Asterisk the eternip variable being incorrectly set to an IP address. Setting it to my dyndns hostname resolved issue.

+1 for mRemoteNG. Makes managing devices so simple.

@jimp: Probably your PBX does not have the VPN remote network set as a "local" network so it's putting its own public IP in the VIA headers. So… not the firewall, a PBX config issue. YES! Thank you! That solved my problem.

NAT is usually for outgoing, port forward for incoming.  You need to create a few port forward rules that map a specific public IP address and port to an internal IP address and port (Firewall - NAT - Port Forward)

If I remember correctly, I had to go through this same thing. I'm pretty certain firewall rule(s) will need to be put in place allowing the subnets to access the internet. It should just be rules connecting the interfaces to the wan interface. Then again, someone else may have a different solution.

Hmmm…  Maybe I'm on to something here. If I run tcpdump on the bridge interface while attempting the connection, I see this: 16:33:25.603399 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has x.x.x.222 tell 0.0.0.0, length 50 16:33:26.714153 IP (tos 0x0, ttl 64, id 12716, offset 0, flags [DF], proto TCP (6), length 60)     x.x.x.211.59721 > x.x.x.222.22: Flags [s], cksum 0x210a (correct), seq 2823335170, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val 753592721 ecr 0], length 0 16:33:29.914115 IP (tos 0x0, ttl 64, id 12731, offset 0, flags [DF], proto TCP (6), length 60)     x.x.x.211.59721 > x.x.x.222.22: Flags [s], cksum 0x148a (correct), seq 2823335170, win 65535, options [mss 1460,nop,wscale 3,sackOK,TS val 753595921 ecr 0], length 0 So it looks like my reflections are reflecting, but rather than the packets hitting the virtual IP, they are heading out the bridge.[/s][/s]

Yes locking the forward rule down to their source IP would be one way to do it.  Changing ports is not reallly security – famous quote "security through obscurity is not security" If looking to reduce logs, then sure changing ports can reduce those.  But you would be better off making sure your ssh is secure - say for example only allow public key auth.  Don't even allow passwords.  On the host put in something like fail2ban so that at most your logs will only have say 4 entries before the host blocks that IP, etc.

Just so everyone knows how this was resolved, I just didn't have the proper order to my Manual Outgoing Nat rules. I had my outgoing nat rule at the bottom instead of the top. Because of this, the nat rule above it over wrote things. I created alias's for all the ip's I needed to use with nat and then created an outgoing nat rule for the application server that said "anything heading from appsrv0 to any, translate from appsrv0 to wanip2". I then moved it to the top of the outgoing nat rules and voila. Hopefully this will help the next guy.

Thanks for the explanation.  I would hazard a guess that you should be able to redirect all internet traffic from the Germany LAN through the IPSEC. Unfortunately this is well outside my expert zone (if I even have one). Hopefully someone else can chime in with some pointers in the right direction.

i know what instead of NAT 1:1 i will add is as a "port forward" and add my additional WAN ip in the "destination" so it uses that ip address is that right or wrong?

Hi, OK, just to close the loop .. updated to the latest version, and after reboot it started working. Thanks so much for all the help!!!

Hi johnpoz Thank you! just got it working  :D To answer your question: I need that NAT to be able to use the unblockus service with my chromecast device which is hardcoded by google to use 8.8.8.8 and 8.8.4.4 so it's kind of a work around. I just could't figure out how to build the NAT rule in the gui, so ones again thanks for your help  :) Kind regards Jan