More NAT help/seeking knowledge
-
Ok, so my issue from the other day is resolved - turns out I was missing some routes. Doh!
On to the next thing...
As explained to me/how I understood it:- we have an external IP 100.50.100.25 (IP used for this description - not our real IP).
- device out in world initiates VPN connection to it. There may be multiple devices initiating connections.
- firewall takes that incoming connection (or connections) and NATs it to an IP in the range 10.100.0.0/16
And there is where I am seeking knowledge/dont understand. How do I set that up so the NAT on the "internal" side will have an address in that 10.100.0.0/16 range? Is that even possible?
-
@sbrews Is 10.100.0.0/16 your LAN subnet?
I'm not quite sure what is being NATted. A VPN would connect the external device to the pfSense, and if 10.100.0.0/16 is a network on the pfSense, then firewall rules govern the connection.
Or are you asking to make some device on LAN the VPN server? Then you would have pfSense forward the ports, e.g. IPsec ports/protocols, to the server on LAN.
-
@sbrews said in More NAT help/seeking knowledge:
firewall takes that incoming connection (or connections) and NATs it to an IP in the range 10.100.0.0/16
From a vpn client? It doesn't nat that, it assigns the vpn client in the range you setup for your tunnel network..
So vpn client for example might be 10.100.0.100, your vpn server says hey if you want to get to something on 192.168.1.0/24 send that traffic to me, I have this 192.168.1 network locally.
When the client on your 192.168.1.x network answers that traffic and sends it back to pfsense - pfsense says oh that is one of my vpn clients - and sends the traffic to that client via the vpn connection. There would be no natting of this this traffic unless you specifically set that up. But there is little reason to do that.
-
I should/need to add:
VPN services are NOT being used on the pfsense firewall... it is literally just a firewall. There is another server on the inside of the network that serves VPN. That client on the inside is expecting to see incoming IPs in the 10.100.0.0/16 range... it then does it's thing and hands out an appropriate VPN IP to the device that initiated the process.
-
@sbrews said in More NAT help/seeking knowledge:
There is another server on the inside of the network that serves VPN.
This is not optimal sort of setup for vpn - vpn is always easier when managed at the edge. When you do it downstream you can run into asymmetrical routing issues. Unless your vpn server is on transit network, or yeah you nat, etc.
You would have a much simpler easier to manage setup if you just did the vpn on the edge (pfsense).
-
@sbrews I've not done it but from reading posts over the years I think you can NAT in that direction with an outbound NAT rule to the 10.100.0.1 or whatever IP is on pfSense.
-
@steveits sure he could do a outbound nat on the interface on pfsense where this vpn server sits.
A drawing of this setup would be most helpful - when you run a vpn internal you can see all kinds of problems - you most likely doing a hairpin as well for the traffic.
I personally would never choose to run a vpn server anywhere but on the edge of the network.
-
Well look at that. I learned some new stuff.
Thank you.Looked into outbount NAT and how to configure it - and after a DOH moment (gave it wrong interface), the traffic hitting the internal VPN is now in the desired IP range.
Thank you again all for your help.
Now on to the next hurdle in building this emulator in virtualbox.
-
@johnpoz While I would normally agree on where to run the VPN, there are reasons - and nothing I can do about those reasons - it has to be done this way.
-
@sbrews said in More NAT help/seeking knowledge:
it has to be done this way.
Company Politics/Polices and optimal networking rarely see eye to eye ;) heheh
