Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT through VPN?

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 2 Posters 3.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • 0 Offline
      0tt0
      last edited by

      Hi,

      I tried earlier to use an IP on the other side of a VPN tunnel as target for a NAT mapping, think it was a web server. Should this work? I couldn't get it to work despite being able to ping back and forth through the tunnel.

      The scenario being that the target machine is placed elswehere and there being a VPN tunnel set up between two pfS boxes, so every request for the web server should go over the VPN.

      TIA,

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG Offline
        GruensFroeschli
        last edited by

        Is the traffic for this webserver always going over the VPN?
        As in, is the other side of the tunnel the default gateway for the server?
        Otherwise i see the problem, that the traffic from the NAT mapping gets to the server, but takes a different way back to the internet.

        To get around this you would have to enable "source NAT" (AoN NAT-rule for traffic to the server), so that inbound traffic appears as if from the pfSense.
        –> The answer to the request to the server takes the correct way out to the internet.

        IMO this should possible, but i never tried.

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • 0 Offline
          0tt0
          last edited by

          @GruensFroeschli:

          Is the traffic for this webserver always going over the VPN?

          Yes that is the idea.

          As in, is the other side of the tunnel the default gateway for the server?
          Otherwise i see the problem, that the traffic from the NAT mapping gets to the server, but takes a different way back to the internet.

          To get around this you would have to enable "source NAT" (AoN NAT-rule for traffic to the server), so that inbound traffic appears as if from the pfSense.
          –> The answer to the request to the server takes the correct way out to the internet.

          IMO this should possible, but i never tried.

          True, cannot remember if I thought of that. I'll try to remember to doublecheck that when trying this again. But I should be able to simply use the local pfS IP then on the other side of the VPN, it must be an IP/machine that does routing I mean.

          Thanks,

          1 Reply Last reply Reply Quote 0
          • GruensFroeschliG Offline
            GruensFroeschli
            last edited by

            @0tt0:

            @GruensFroeschli:

            Is the traffic for this webserver always going over the VPN?

            Yes that is the idea.

            So you essentially have as default gateway the VPN itself.
            In this case all traffic should always come back to the pfSense and thus shouldnt need source NAT.

            We do what we must, because we can.

            Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.