Routing Specific Traffic over VTI
-
Hello,
Im pretty new to using pfSense - only started using it about 10 days ago to overcome some issues in my new office. Basically we are behind NAT and the managed networks team will not allow me to route certainly ports into the network mainly for things like FTP Back-ups and VPN access.
As a result I have build two pfSense virtual machines, one hosted in the cloud on IONOS and one locally in our office that we are using as our gateway out onto the managed office network. The network looks like:
Remote Server - 10.11.1.0/24 VTI Address: 10.11.99.1
Local Office - 10.11.5.0/24 VTI Address: 10.11.99.2The VTI tunnel is up and running, the gateway is showing as being online and I am able to ping both the gateways along with local lan ips on both sides of the tunnel so I am 100% confident that the tunnel is up and working.
What I would like to be able to do is have my QNAP always use the Remote Server as both its outgoing and incoming Gateway so to this end I have created the following rules:
Local Office LAN Firewall Rules:
Remote Server WAN Rules:
Im pretty sure I have done something wrong and its going to be something silly like NAT or not picking the correct gateway or something.
On both machines Firewall > NAT > Outbound is set to Automatic. Does this need to be changed on the Remote Server to Hybrid and a rule put in place?
Thanks
Stan
-
I have managed to get the outbound traffic working by changing the NAT from Automatic to Hybrid.
Have tested it using my laptop and I am browsing using the IP address of the Remote Server which is perfect.
It is now just the incoming ports that are not routing correctly over the VTI interface and I am stuck.
/Stan
-
@stan-fergusonsmith said in Routing Specific Traffic over VTI:
Remote Server WAN Rules:
What's your intention? Routing this to a machine on the remote site?
Did you add a Port forwarding rule?
-
Hello @viragomann,
Yes the plan is to use the remote site as the gateway into the machines on the local site to allow us to route FTP traffic and Plex which I was using as my canary to check to see if it was working.
I think I was using Firewall rules when I should have been using Port Forwarding to be honest?
This is not my usual ball-park so feeling a little bit out of my depth to be honest.
/Stan
-
@stan-fergusonsmith
A port forwarding rule is needed for this in any case.
In the port forwarding rule you can select an option to let pfSense create an associated firewall rule automatically or just select "pass" to allow the traffic without an explicit rule.
Anyway both are needed.But there is something else. Assuming it's not an issue for you to not see the real client IP at the destination device, you can go with masquerading as well.
So on the remote site you have to add an additional outbound NAT rule to the IPSec interface with source = any, destination = 10.11.5.0/24, translation = interface address.And an additional outbound NAT rule is needed on the local VPN endpoint. So you have also switch the outbound NAT into hybrid mode and add a rule:
interface: LAN
source: any
dest.: 10.11.5.0/24These NAT rules are needed, that the destination devices send reply packets back to the local pfSense and the local to the remote. Without this they would send replies to their default gateway.
-
Thank you @viragomann
I will have a look at this today and hopefully it will be up and running soon.
-
Hello @viragomann
So I have the following on the Remote Server where I am pointing the traffic that I want to come into the system from:
Firewall Rule:
Port Forward Rule:
🔒 Log in to viewOutbound NAT:
And on the local system I have only changed the Firewall > NAT > Outbound to Hybrid and added the following rule:
Excuse the different themes I added them so I had a visual clue to which box I was working on to stop me getting confused.
The port still doesn't seem to be accessible do I need to add another rule in or have I not setup the NAT correctly?
/Stan
-
@stan-fergusonsmith
Does your application really use a static source port?? That's very unusual.
Most application use a random source port. So you probably have to set the source port to 'any' in the port forwarding and firewall rule. -
@viragomann thank you!
You were right I was being an idiot! All working now as it should be.
Thank you very much for your time and patience
/Stan