Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT via two PFSense Firewalls connected via IPSec

    Scheduled Pinned Locked Moved IPsec
    4 Posts 2 Posters 120 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      zulasch
      last edited by

      Hey guys,

      is it possibile to make a connection from the "User" to the "Webserver" like in the picture above?

      I already setup the IPSec tunnel, and I can reach the Webserver via the shell from the FW2 firewall, so VPN is fine.

      Now I have created a NAT rule for ther internet users with the following configuration:
      Destination: This Firewall, WAN IP or Floating IP (tried all three possibilities)
      Destination port range: 443
      Redirect target IP: WebserverIPAdress
      Redirect target port: 443

      but its not working, so I cannot reach out to the webserver with WAN IP or Floating IP...

      Is this scenario technicaly possibile?

      Thanks
      zulasch

      9aa4b092-c62f-4fe4-9557-929a4c101c47-image.png

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @zulasch
        last edited by

        @zulasch said in NAT via two PFSense Firewalls connected via IPSec:

        is it possibile to make a connection from the "User" to the "Webserver" like in the picture above?

        No.

        Z 1 Reply Last reply Reply Quote 0
        • Z
          zulasch @viragomann
          last edited by

          @viragomann
          Why?

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @zulasch
            last edited by

            @zulasch
            This would require, that you have defined an SPD for the "users" IP and the webserver in IPSec. But the clients IP is dynamic. So it would only work if you route the whole upstream traffic from the webserver over the VPN, which might not be what you want.

            It would work with any other kind of VPN though, which gives you the possibility to assign an interface to. Could be OpenVPN, Wireguard or IPSec VTI.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.