Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Using VTI IPsec to bypass managed office NAT

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 10 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      stan.fergusonsmith
      last edited by

      Hello,

      In April this year we moved into a managed office to make life easier on us, as part of the new office we are unable to run our own WiFi and the wall sockets dropped me onto a network where I could see other devices in other offices. This did not fill me with confidence so I looking into my options and pfSense was recommended to allow me to place a block between my office devices and the office LAN at large, this has been in place now for several months with no issues.

      Now to the tricky part - as part of my backup routine for the 3 webservers that I look after I need to to access the QNAP device that is in the office behind the pfsense network. As a result I spun up a VPS from IONOS, and installed pfSense on it to act as a accessible end-point for FTP.

      The network running 2.8.0 on both sites and they have the following config:

      Site 1 - Remote Site (IONOS)
      Internal IP Range: 10.80.1.0/24
      IPsec VTI: 10.80.99.1
      OpenVPN: 10.80.98.0/24

      Site 2 - Local Site (Managed Office)
      Internal IP Range: 10.80.2.0/24
      IPsec VTI: 10.80.99.2

      30de7a6c-7d5b-4389-8181-1587d391083c-image.png

      I have three objectives that I would like to achieve

      1. Have any incoming FTP activities come via site 1 and be forwarded onto the QNAP NAS on site 2 and have the QNAP reply via site 1

      2. Be able to access both site 1 & site 2's internal networks from OpenVPN

      3. If site 3 does come online I would like to be able to access all three subnets using site 1 as the hub, and sites 2 & 3 as spokes.

      Note I did have this working but something happened to the site 2 machine and I didn't have a recent backup and when I performed a clean install again I was unable to get it to play ball again. Now have some free time I would like to get it back up and running.

      Currently the IPsec VPN is up, P2 is installed on both sides of the connction and from Gateways I can see the Gateways are both online with no packet loss. If I SSH onto Site 1 I am able to ping the QNAP device with no issues, and from my mac on site 2 I am able to ping the remote pfsense local IP, along with being able to ping both gateways from either end.

      Site 1 - Ping Results & Gateway Monitoring

      Gateway to site 2 is up and running with a roundtrip of around 60ms
      3affb145-510e-4e6b-9a73-b0da61cd1a59-image.png

      Pinging site 2 pfSense box showing a similar average:
      c9443ecb-1046-4906-be8b-c605d77a9133-image.png

      Ping site 1 Gateway IP:
      3fc1a3d7-51ef-4d2a-a33a-161361470a57-image.png

      Ping site 2 Gateway IP:
      efd5f9b1-afcc-4201-90f1-15c2547d1f20-image.png

      Site 2 - Ping Results & Gateway Monitoring

      Gateway to site 1 is up and running with a roundtrip of 60ms:
      c091b3e2-a831-49d5-8bb6-801d5978b88c-image.png

      Site 2 - Ping from Site 2 to Site Gateway:
      474b4190-117d-4f2e-8665-04c231528abc-image.png

      Site 2 - Ping Site 2 Gateway
      55e9e486-b66c-4d32-b5ec-2dddc7b2dfc4-image.png

      Site 1 - Firewall / NAT / Rules

      This is going to be the entry point to the network this is where I have created the Port Forwards for the FTP access onto the QNAP on site 2.

      Port Forward Rules:
      cb1b000b-5d28-4ab0-ad58-7345086d87f2-image.png

      Outbound NAT is set to Hybrid and I have added the following two rules that I was advised in my previous post:
      baa5543c-695e-4022-a3a3-a1b7440f9cba-image.png

      IPsec Firewall rules:
      9ed35911-dfe9-4b2c-941d-5b28a613a245-image.png

      Site 2 - Firewall / NAT / Rules

      I have configured the QNAP device to use Site 1 as its remote gateway so that all traffic sent by the device will get send over the link and exit from site 1.

      Outbound NAT is set to Hybrid and I have added the rule that I was advised in my previous post.
      5b7c0a9a-db8d-4a6d-8cc0-cc386e860cb1-image.png

      LAN Firewall rules to route all QNAP traffic via the VTI Link:
      93206fcf-8515-4b19-8b54-1e7f56dc8bae-image.png

      IPsec Firewall rules
      b1b7da5f-1c8a-4914-906e-2b4302b0515b-image.png

      When trying to access the FTP from the Plesk Servers I am getting the error:

      38f38458-3132-4b68-9a7a-7735b482fae6-image.png

      I hope that this all makes sense and someone can help me figure it out before I pull my hair out in frustration.

      Many thanks

      Stan

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.