1 Public Static IP for 1 dynamic IP location
-
Hello,
This probably got answered numerous time in this forum, but I could not find a solution for my situation. Thanks in advance any help any body can provide!Location #1 : Public Static IPv4 X.X.X.X/29
Location #2 : 10.0.0.0/24I have 2 location, 1 of them has Public Static IPv4 from ISP and other location has dynamic IP. Locattion #2 has some servers that need to be reached from outside through the Public IP in location #1. I have OpenVPN site-to-site established between these 2 locations which is up and running. If i want to reach a server in location #2 with 10.0.0.2:110 from outside using something like X.X.X.X:110 how would I do the routing?
-
Be sure the Location 2 OpenVPN has an assigned interface and that the rules passing traffic in there DO NOT match on the OpenVPN tab but DO MATCH on the assigned interface tab. This will get you reply-to there.
Make a simple port forward on the Location #1 WAN to the 10.0.0.0/24 address across the tunnel.
-
Thanks for the reply Derelict!
I do have Port forward on location #1 WAN to 10.0.0.0/24. But I am unsure of the 'rules DO NOT MATCH on interface and OpenVPN tab part.
The default OpenVPN tab has a rule ipv4 * to *. I created a new interface based on on openvpn and that also has rule ipv4 * to *. What would the rule look like on the interface and Openvpn tab?
-
I think it is fixed now. I removed the rules from default OpenVPN on Location #2 client side, it started working right away. Thanks for pointing out the additional interface tip. Its somewhat to have a default OpenVPN tab and the need to create yet another openvpn interface. Anybody knows why is that?
-
The OpenVPN tab is an interface group for all OpenVPN instances, client and server, on the node.
Just like everywhere else in pfSense, interface group rules are processed after floating rules and before interface rules.
Just like everywhere else in pfSense, a state created by interface group rules cannot benefit from things like reply-to because pf cannot know what interface the traffic should reply to.
Creating an assigned interface for OpenVPN and making sure the interface group does not match (because the state would be created there without reply-to in that case) allows pf to perform reply-to magic.
-
Looks like I am having little more trouble on this topic. Port forwarding to servers in Location #2 working just fine. But having difficulties with the webserver. We have a web server in location #2 that need to be reached with Public IPv4 in location #1. How can i forward an entire IP to the 2nd location so people can reach the site? As of now I did port forward 80,443 for X.X.X.X to reach the web server on 10.0.0.17/24 in location #2.
Hope the issue is clear.
-
If you don't have multiple addresses at site 1, 1:1 NAT will make everything for that single address go to the NAT address.
If you have multiple addresses to use, use one for them for 1:1 NAT.
What specifically isn't working. Please be specific. List addresses and ports and locations and be specific. please be specific. Did I say to be specific? Specifically be specific. And complete. Please provide complete and specific information about what is not working.
Completely and specifically.
-
May be this attached diagram will help?
I have Site #1 with Public Static IP and #2 with Dynamic WAN IP. I want all incoming traffic to come to Site #1 as thats where the static IPs are. We have Web servers on site #2 that need to be reached by clients. Also got a Linux virtual servers that need to be reached using static IP without any port restriction/forwarding.
The tunnel between 2 sites are up and running. Email server is reached with no issue. The web servers can also be reached but touch and go. CentOS server is unreachable unless I do port forwarding on Site #1. But dont want to micro manage that. User should just access whatever port they need to to the linux server if i can forward the IP itself.
Basically trying to making Site #2 work as if it was physically located in Site #1. Main problem right now how can I pass the entire /24 IP block through the tunnel.
-
If you have all those addresses just 1:1 NAT from one of them to the one across OpenVPN. Then pass the traffic you want passed.
-
If you have all those addresses just 1:1 NAT from one of them to the one across OpenVPN. Then pass the traffic you want passed.
So I have created a 1:1 NAT on pfSense server location #1 for 99.99.99.0/24. Server using OpenVPN tab with rules IPv4 * *. On client OpenVPN rules tab is empty while created an Interface based on openvpn. That also got rule IPv4 * *.
Since Source and Destination is * in the rules, shouldnt things just get passed? You referred to just pass the traffic i need to pass, could you please be kind and give me an example of the rule and where does it need to go in order for public to reach the webserver through 1 one of the public IP? -
Well you can't 1:1 NAT 99.99.99.0/24 to 99.99.99.0/24 nor is there any reason to.
What, exactly, are you looking to do?
If 99.99.99.0/24 is on the interface at site #1 (which would be completely stupid - nobody sane would put a /24 on a WAN interface) then you have to NAT it to something else.
If it is routed to the WAN at Site #1 then just make it (or a subnet of it) a remote network across the OpenVPN and you don't have to NAT at all.
It really depends on what you actually have and what you want to do with it.
-
At location #1 I have a Static 88.88.88.00/28 and Static IPv4 99.99.99.00/24 from ISP. pfsense WAN interface runs on 88.88.88.01/28. 99.99.99.00/24 is being routed to us via an VirtualIP interconnect 88.88.88.04/28.
Location #2 has dynamic IP from ISP. I have few web servers in location #2 with IP:
99.99.99.01/24 = abc.com
99.99.99.02/24 = xyz.com
99.99.99.03/24 = 123.comUsers need to reach abc.com/xyz.com/123.com over internet using their browser. Instead of the web servers being in location#1, they all are in location #2. Right now when somebody tries to reach abc.com or any domains, it times out or gets page not found error.
I do apologize for all these clarifications and taking so much time!
-
If it is routed to the WAN at Site #1 then just make it (or a subnet of it) a remote network across the OpenVPN and you don't have to NAT at all.
It really depends on what you actually have and what you want to do with it.
I just reread your post. Yes you are very correct, the 99.99.99.00/24 is being routed to WAN at Site #1.
then just make it (or a subnet of it) a remote network across the OpenVPN and you don't have to NAT at all.
I do not know how to 'just make a remote network across the OpenVPN mean'. I have a feeling this is where i am stuck.
-
Are the web servers at location #2 actually listening on the 99.99.99.X addresses on their interfaces or do they have some other local interface addresses they are listening on?
Focus on just one. The rest will just be duplication of that.
-
Are the web servers at location #2 actually listening on the 99.99.99.X addresses on their interfaces or do they have some other local interface addresses they are listening on?
Focus on just one. The rest will just be duplication of that.
There is an interface in location #2 pfsense with 99.99.99.254/24. Gateways for the web servers are pointed to that.
-
So just add 99.99.99.0/24 as a remote network on the OpenVPN at site 1.
See also all the stuff above about reply-to and assigned interfaces at site 2.
Pass the traffic on site 1 WAN that you want to pass such as tcp source any dest 99.99.99.1 ports 80 and 443
Make sure that traffic DOES NOT MATCH on the OpenVPN tab at site 2. It has to NOT MATCH there and match on the assigned interface tab.
