Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC and NAT

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 3 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fastfire
      last edited by

      Hello everyone,

      I submit my problem. I need to create an IPSEC vpn with an institution which must reach a machine present in my DMZ (192.168.0.0/24). This institution, however, must reach the machine in the DMZ network pointing to a network set from them (10.210.xx/29). I then proceeded to create a VPN IPSEC putting the 10.210.xx as a local network and the network as a remote entity (10.50.xx/29). I then created a port forwarding on the IPSEC interface for connections to ftp direct to 10.210.xx, forwarding the connections to a machine of 192.168.0.0/24 DMZ network. I then started the vpn, which is established correctly. I noticed, however, that on pfSense, in the routing table, I can not find a route for the 10.50.xx/29. Addition, the institution can not reach my ftp server present in the DMZ. In your opinion this is a configuration that is manageable from pfSense (version 2.0.1)? Have you any idea what could be the problem? Thank you.

      1 Reply Last reply Reply Quote 0
      • N
        nothing
        last edited by

        Since you want to present your DMZ through the VPN you should configure 192.168.0.0/24 as local network for the VPN. No port forwarding is required - you will have direct routing through the tunnel.
        Then add some firewall rules on the IPSEC interface.

        1 Reply Last reply Reply Quote 0
        • F
          fastfire
          last edited by

          @nothing:

          Since you want to present your DMZ through the VPN you should configure 192.168.0.0/24 as local network for the VPN. No port forwarding is required - you will have direct routing through the tunnel.
          Then add some firewall rules on the IPSEC interface.

          My local network must be the network choose by the institution (10.210.xx/29), I have no choice, because they must reach the machine in pointing to the network set from them. If I configure 192.168.0.0/24 as local network, the VPN does not work, because there is a mismatch between networks configured in pfSense and networks configured on the institution router.

          1 Reply Last reply Reply Quote 0
          • N
            nothing
            last edited by

            You won't see route for the IPSEC.
            How does the port forwarding rule look like?

            1 Reply Last reply Reply Quote 0
            • F
              fastfire
              last edited by

              @nothing:

              You won't see route for the IPSEC.
              How does the port forwarding rule look like?

              Port forwarding is:
              If IPsec Proto TCP Src. addr * Src. ports * Dest. addr 10.210.x.x/29 Dest. ports 21 NAT IP 192.168.0.x NAT ports 21

              1 Reply Last reply Reply Quote 0
              • G
                georgeman
                last edited by

                NAT before IPsec was implemented in 2.1: http://blog.pfsense.org/?p=712

                As far as I know, it never worked before (I haven't tested on 2.1, but it's supposed to work)

                If it ain't broke, you haven't tampered enough with it

                1 Reply Last reply Reply Quote 0
                • F
                  fastfire
                  last edited by

                  thank you, I do some testing with the 2.1 and I'll know.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.