Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Access service in device connected via IPSEC trought public IP

    General pfSense Questions
    pfsense ipsec port forward
    2
    4
    437
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      felipefonsecabh
      last edited by

      Hi!
      I have this scenario:

      acesso-energisa-medidores.drawio.png

      I need access service in 7700 port in 192.168.17.10 that connect to pfsense from IPSEC Tunnel.

      Then i created a port forward in Firewall -> NAT:

      Source: Any
      Destination: WAN Address
      Destination Port Range: 25001
      Redirect Target IP: 192.168.17.10
      Redirect Target Port: 7700

      but i can't access the service. I missing anything? Thanks a lot!

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        What subnets is your IPSec tunnel carrying? Is it using VTI (route based)?

        It will have to carry traffic from any external IP so forwarded traffic matches it.

        Steve

        F 1 Reply Last reply Reply Quote 0
        • F
          felipefonsecabh @stephenw10
          last edited by

          @stephenw10

          Hi!
          My Configurations on IPSEC:

          Local Network: LAN NET
          Remote Network: 192.168.17.0/24

          I think i'm not using VTI.

          I have change local network to Any to carry traffic from any external IP?

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            @felipefonsecabh said in Access service in device connected via IPSEC trought public IP:

            I have change local network to Any to carry traffic from any external IP?

            Yes, if you are using policy based IPSec and need to keep using that. The policy has to match that traffic and the source IP could be any IP.

            But if you do that it will match traffic at the other end for 'any' destination. All traffic from site1 will go over the IPSec tunnel. Which you probably don't want.

            A route based VPN tunnel of some sort would give you more options.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post