Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Using a GRE Tunnel to route VMs network and IP to external network.

    Scheduled Pinned Locked Moved General pfSense Questions
    36 Posts 2 Posters 4.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • XuapX
      Xuap
      last edited by

      Hey everyone, so, I created a gre tunnel from my local pfsense to an hosting providers' remote pfsense so I can (as told by them) use their IP addresses on my virtual machines.

      So, for instance,

      I want the IP 192.168.1.139 to have the IP 185.113.141.139. I've been reading some posts here and figure out that I am suppose to be making a 1:1 NAT mapping for each individual IP I have.

      I currently don't have an IP block so I gotta do every IP 1 by 1.

      The Gre tunnel is already created and both pfsenses communicate to each other. The IP I have on a VM is currently the 192.168.1.139 and when I use ping 8.8.8.8 I get the following states on the local pfsense:

      026158f5-9af5-4bba-aa19-76270eaa4989-image.png

      I've also created a gateway for the VMs with the gateway 185.113.141.1 which is the hosting providers' gateway address.

      I created a static route from the remote pfsense with the IP I want to use in the VM 192.168.1.139:

      a10f1cd5-4c67-4abf-987b-c717ad65805b-image.png

      which did not do anything..

      Some Info:

      • Local PFSense address: 192.168.1.10
      • Remote PFSense address: 185.113.141.132
      • Local GRE Tunnel address: 10.0.2.1
      • Remote GRE Tunnel address: 10.0.2.2
      • My available remote IP addresses to use on VMs: 185.113.141.139
      • Current virtualization system: Proxmox

      After following the steps on this post https://forum.pfsense.com/topic/173892/gre-tunnel-to-protect-ip this was all I could achieve, somethings did not work as expected.. If someone could give me a hand I would be very grateful

      Best regards,
      Xuap

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        I assume you are using those IP addresses just as an example? Because those are just copied from the other post, those IPs will not work for you.

        That static route makes no sense. You need a static route to 192.168.1.0/24 via 10.0.2.1 on the remote pfSense.

        You also need a policy rule on the local pfSense to pass outbound traffic from the local hosts there over the GRE tunnel.

        Then add the 1:1 NAT rules on the remote pfSense.

        Steve

        XuapX 1 Reply Last reply Reply Quote 0
        • XuapX
          Xuap @stephenw10
          last edited by Xuap

          @stephenw10

          The IP addresses seem to be copied from the other post because they are from the same provider. So in a nutshell, I only need the tunnel created in both ends and add a static route to the 192.168.1.0/24 so that the local IPs on my side can reroute the traffic to the tunnel and so the tunnel can handle that traffic?

          The 1:1 NAT rule on the remote (Where the IPs are being routed to) should be something like

          • Internal IP: 185.113.141.139
          • External IP: 192.168.1.139
            And the NAT address should be the interface address (The tunnel one)?

          If so, as soon as I get home I'll try to adjust it to these configs and instantly feedback the results.

          Thanks in advance.

          João Ferreira

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            The static route needs to be on the remote pfSense so that it knows how to reach the 192.168.1.0/24 subnet on the other end of the tunnel. Doing that also adds an outbound NAT rule for that subnet so that traffic arriving over the tunnel can reach the internet. As long as outbound NAT is in automatic mode there still.
            You also need a policy routing rule at the local pfSense box if you also want the host in 192.168.1.0/24 to use those public IPs for outbound connections.

            Steve

            XuapX 1 Reply Last reply Reply Quote 0
            • XuapX
              Xuap @stephenw10
              last edited by

              @stephenw10

              Everything's done as you said. Now, to use the IPs on the Virtual Machines on Proxmox, I need to create a linux bridge that is associated to the local pfsense (a VLAN was created for that with the remote gateway) 9836d92d-febd-439c-8339-22131d0c6007-image.png
              and to get the VM to use the IP I need to put for instance: IP: 185.113.141.139 Netmask: 255.255.255.0 Gateway: 185.113.141.1 or I need to use my normal router gateway (192.168.1.254) and a local ip address like 192.168.1.139?

              Thanks in advance.

              João Ferreira

              XuapX 1 Reply Last reply Reply Quote 0
              • XuapX
                Xuap @Xuap
                last edited by Xuap

                @xuap So, I used the gateway 185.113.141.1 on the VM and the IP 192.168.1.139, on the local pfsense I get this

                c16f6871-5429-427c-b455-2b27636aeb93-image.png
                and on the remote I get this

                5c469311-9e59-48b8-bbec-de15a412ce02-image.png

                Also, I have this NAT rules c1496df2-9c32-482d-8c65-01d84c56e725-image.png

                but I don't have internet access on the VM.

                1 Reply Last reply Reply Quote 0
                • stephenw10S
                  stephenw10 Netgate Administrator
                  last edited by

                  If you are 1:1 NATing, as you initially said, then you should not have any public IPs at the local site.

                  The only place the public IPs would be defined would be as VIPs at the remote site.

                  In the other thread they were given a routed subnet and so could use the public IPs directly on hosts at the local end. In that situation you don't need to NAT anything and instead can route the subnet across the tunnel at the remote site. Then use the subnet directly on an interface at the local end. The pfSense VLAN interface would still not be the .1 address though, that would imply they gave you the full /24 subnet which is very unlikely. It would be the first usable IP in the subnet they routed to you.

                  Steve

                  XuapX 1 Reply Last reply Reply Quote 0
                  • XuapX
                    Xuap @stephenw10
                    last edited by

                    @stephenw10 Unfortunately, they didn't allow us to have a routed subnet, so I have to stick with the 1:1.

                    Virtual IPs on the remote site:
                    e3a9a2bc-2b44-4a38-9fd0-9ca309901877-image.png

                    Virtual IPs on the local site:
                    3e2ea529-0435-4594-8560-fa7712b48cf2-image.png

                    I only have Virtual IPs on the remote which is one additional IP I got that the hosting provider gave me.

                    So, in my case do I need to change the gateway 185.113.141.1 to anything else or do I need to make some firewall rules to give the VM internet access or something? Because if I change to my router's gateway and the bridge to the main bridge of pfsense (WAN) the network starts working but I don't get any data on pfsense stats nor the public IP is correct..

                    XuapX 1 Reply Last reply Reply Quote 0
                    • XuapX
                      Xuap @Xuap
                      last edited by

                      If I ping something like 1.1.1.1, on the console I get
                      6c3d5da9-efd4-437e-8d84-c760fdefcd79-image.png
                      without any output, but I do get the states on both ends
                      LOCAL:
                      221211db-5d97-46a3-872a-04dd3fd77c61-image.png

                      REMOTE:
                      42dc6e6d-0437-443f-9b5f-ff785494b7b9-image.png

                      also referring that it's showing the ip 185.113.141.132 when the IP I want to use is the 185.113.141.139.

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S
                        stephenw10 Netgate Administrator
                        last edited by

                        Ok, so what's the 1:1 NAT rule at the remote side? It looks like it's not catching the traffic there on the way out and it's using the auto outbound rule instead.
                        Also the 1:1 NAT rule would not change the source port (icmp ID here) like is shown there.

                        However it does look to be working as expected apart from that. There is two way traffic shown on all 4 interfaces involved. But the ping fails?

                        Steve

                        XuapX 1 Reply Last reply Reply Quote 0
                        • XuapX
                          Xuap @stephenw10
                          last edited by

                          @stephenw10 The NAT rules on the remote site are like this:

                          1:1
                          475677e5-4214-4e4e-b611-55973f5b02f6-image.png

                          Outbound
                          5a5b6fb3-7c54-4697-b61a-3499629693bb-image.png

                          Yeah, basically it just doesn't have internet access, nor even access to the pfsense or tunnel ping.. I can't ping the tunnel through the VM even tho the ping arrives there.

                          1 Reply Last reply Reply Quote 0
                          • stephenw10S
                            stephenw10 Netgate Administrator
                            last edited by

                            Ok the 1:1 NAT rule should be on WAN with the external IP being the public IP VIP and the internal IP being the private IP of the server.

                            XuapX 1 Reply Last reply Reply Quote 0
                            • XuapX
                              Xuap @stephenw10
                              last edited by

                              @stephenw10 So, like this?
                              c6187a6d-ca16-44d6-a4e3-28daa7645360-image.png

                              And on the VM, like this?
                              489184d9-f0b5-4787-b6f7-3734c69eb06f-image.png

                              1 Reply Last reply Reply Quote 0
                              • stephenw10S
                                stephenw10 Netgate Administrator
                                last edited by

                                No the external IP should be the public IP. The internal IP should be the server IP in 192.168.1.0/24.

                                The VM gateway needs to be in the subnet so it should be the local pfSense VLAN interface IP. Probably 192.168.1.1

                                XuapX 1 Reply Last reply Reply Quote 0
                                • XuapX
                                  Xuap @stephenw10
                                  last edited by

                                  @stephenw10 So, my networks on local pfsense are like this:

                                  7167937f-2f66-45c0-834b-a080d152ce26-image.png

                                  My WAN is the 192.168.1.10 which is on the main gateway of the router 192.168.1.254

                                  I use the VLAN as a bridge for the VMs, but should I use something else both on pfsense or on the VMs?

                                  XuapX 1 Reply Last reply Reply Quote 0
                                  • stephenw10S
                                    stephenw10 Netgate Administrator
                                    last edited by

                                    Hmm, where is the VM at 192.168.1.86 then?

                                    I expect all the VMs to be in the VLAN subnet and all the routing the NAT setup to be to and from the VLAN subnet.

                                    Steve

                                    XuapX 1 Reply Last reply Reply Quote 0
                                    • XuapX
                                      Xuap @Xuap
                                      last edited by

                                      I also did a pcap on both the GRE and VLAN of the local pfsense

                                      GRE:
                                      d14dbcf6-36b0-4e74-bf2d-eb48e440fa4e-image.png

                                      VLAN:
                                      f19055c3-ebf6-4091-b462-8ac72173b942-image.png

                                      So, as I understood it is sending the ping to the 1.1.1.1 but it is not receiving any traffic..

                                      stephenw10S 1 Reply Last reply Reply Quote 0
                                      • stephenw10S
                                        stephenw10 Netgate Administrator @Xuap
                                        last edited by

                                        Right, well it won't if traffic from 192.168.1.86 is coming in on the wrong interface!

                                        If you run a pcap on WAN you will see all the replies going back that way because that's where the 192.168.1.0/24 subnet is.

                                        How exactly is the VM connected?

                                        XuapX 1 Reply Last reply Reply Quote 0
                                        • XuapX
                                          Xuap @stephenw10
                                          last edited by

                                          @stephenw10 The VM is in the proxmox with the IP on 192.168.1.86 and gateway 192.168.2.1 like I showed above

                                          The VM is with the bridge of the VLAN (192.168.2.1) which is the Linux Bridge 1 on proxmox (vmbr1) that will (supposedly) be attached to all VMs so it can tunnel the traffic to the remote pfsense

                                          1 Reply Last reply Reply Quote 0
                                          • XuapX
                                            Xuap @stephenw10
                                            last edited by

                                            @stephenw10 16249c88-5c5c-499c-8067-7e1321555bac-image.png

                                            This is the only 1.1.1.1 ping I have on the WAN of the local pfsense

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.