Can i nat a public ip on local pfsense lan gateway?

Derelict

Make sure you duplicate the IPsec passthrough entries.  There should be an entry for "Auto created rule for ISAKMP - LAN to WAN"  you can reference.

cybermod

sorry derelict, but i don't understand this step….. maybe my baaad english? i think  :'(

May i need to create a new rule (in fact, in automatic nat outbound rule generation, i can see "Ipsec passthrouch included)...

I don'f found any option with "Auto created rule for ISAKMP - LAN to WAN" ...... mhhh.....

Maybe is a similar rule https://www.google.it/search?q=pfsense+Auto+created+rule+for+ISAKMP+-+LAN+to+WAN&safe=off&client=firefox-a&hs=5x&rls=org.mozillaofficial&channel=fflb&source=lnms&tbm=isch&sa=X&ei=dl7bU_apOIWk0QW83oCYAw&ved=0CAoQ_AUoAw&biw=1280&bih=953#facrc=&imgdii=&imgrc=k2uTplclX1cJvM%253A%3BPR65AvcntbfHjM%3Bhttp%253A%252F%252Fwww.bodenzord.com%252Fwp-content%252Fuploads%252F2014%252F04%252FPIA_NAT_Configure.gif%3Bhttp%253A%252F%252Fwww.bodenzord.com%252Farchives%252F324%3B780%3B787
but i am noob in this argument, sorry

Derelict

It's in the manual NAT page.  You need to set a rule above the one you set to map outbound NAT for your network to the secondary IP, but this one matches on port 500 and sets the static port option and the secondary IP.

You're working on IPsec devices going through NAT, not a site-to-site from pfSense or a mobile client server on pfSense right?


cybermod

no Derelict, not work….

But now i try others option.

Plese, read your private message, i need one privat information

Regards

cybermod

derelict, sorry but i have many difficulty to understand you. In this moment, i must leave my project…..
i try to show you my situation with example and screenshot. Now, my brain is very fuse (and i am unhappy :( )

ippublic1
ippublic2 virtual                      lan1 (vlan1)    vpnipsec
ippublic3 virtual    pfsense    lan2 (vlan2)    vpnipsec
ippublic4 virtual                      lan3 nat1:1 ---- router

behind lan2:  i have some client. this clients must exit this ippublic3 virtual.
For do this, i need to: manual outbound rule, in the first imange. If i don't put the ippublic3, my clients behind lan2 exit with the ippublic1 (no virtual ip)
Show in the second line.
the first is as you said

in this moment, this ipsec vpn run!!!
the imange show you the parameters

Where is/are the error(s)?
Maybe i am trying to do the impossible?

headache.

The first ipsec not run.... but this is another problem.
On lan4 i think that there aren't problems, because nat 1:1 is not nat 1:254  ;)

pleeeeeeasseeeee, help me otherwise i will kill me hanging myself with a patch cord on computer room!

Regards and tnx


Derelict

OK.  So you're talking about site-to-site VPN, not IPsec passthrough.

In your first image, 1 Firewall_ NAT_ Outbound.png, the rules say this:

1. If WAN1 has traffic sourced from 192.168.35.0/24:any destined for any:500, translate the source address to "WAN1 address" and use static ports

2. If WAN1 has traffic sourced from 192.168.35.0/24:any destined for any:any, translate the source address to "ippublic3"

The first rule is for clients on the 192.168.35.0/24 who are making IPSec connections from their devices, like with Cisco VPN client or AnyConnect, etc.  It has nothing to do with pfSense establishing a site-to-site IPSec tunnel.

As for your VPN tunnels, both ends have to match.  You determine what traffic you allow INTO your network FROM the remote VPN networks with rules in the IPSec interface.

My advice is to back off, work one interface at a time, get your manual NAT where you want it for each, then move to the VPN, one tunnel at a time.  You might save more time resetting your configuration to factory, reentering your virtual IPs, resetting your LAN interfaces, selecting Manual NAT and taking a good look at the rules so you understand them.  All you should have to change are the "NAT address" columns in the automatic rules.

cybermod

OK.  So you're talking about site-to-site VPN, not IPsec passthrough.

In your first image, 1 Firewall_ NAT_ Outbound.png, the rules say this:

1. If WAN1 has traffic sourced from 192.168.35.0/24:any destined for any:500, translate the source address to "WAN1 address" and use static ports

so, is it wrong? because i think that all traffic sourced from 192.168.35.0/24:any destined for any:any,. it should be translate to "ippublic3"…. right?

2. If WAN1 has traffic sourced from 192.168.35.0/24:any destined for any:any, translate the source address to "ippublic3"

In this mode, when from my client i check the public ip, is ippublic3, so i  think that this rule is right

The first rule is for clients on the 192.168.35.0/24 who are making IPSec connections from their devices, like with Cisco VPN client or AnyConnect, etc.  It has nothing to do with pfSense establishing a site-to-site IPSec tunnel.

really? o my god…. i have not understand nothing...... ARG!

As for your VPN tunnels, both ends have to match.  You determine what traffic you allow INTO your network FROM the remote VPN networks with rules in the IPSec interface.

i add a little thing: i have the same configuration on other pfsense, behind another pfsense with nat 1:1: it run!
my new project serving to simplify and reduce the number of pfsense.

My advice is to back off, work one interface at a time, get your manual NAT where you want it for each, then move to the VPN, one tunnel at a time.  You might save more time resetting your configuration to factory, reentering your virtual IPs, resetting your LAN interfaces, selecting Manual NAT and taking a good look at the rules so you understand them.  All you should have to change are the "NAT address" columns in the automatic rules.

i am not happy to listen this, but i think what you're right…. in this moment i am very confused!

ok, i will resetting my pfsense or is better reinstall it?

My future pfsense:

ippublic1                            wan pfsense      -  lan1    (lan service to catch up my pfsense, with anti lookup rule)
ippublic2 (virutal ip)                                      - lan2    (lan for other logical lan with vlan)
                                                                          |
                                                                        lan3    (on vlan3, with ippublic2 and class 192.168.35.1), when ipsec tunel

Is ok to test all?

Derelict

@cybermod:

OK.  So you're talking about site-to-site VPN, not IPsec passthrough.

In your first image, 1 Firewall_ NAT_ Outbound.png, the rules say this:

1. If WAN1 has traffic sourced from 192.168.35.0/24:any destined for any:500, translate the source address to "WAN1 address" and use static ports

so, is it wrong? because i think that all traffic sourced from 192.168.35.0/24:any destined for any:any,. it should be translate to "ippublic3"…. right?

I don't think that rule has anything to do with your situation because you're not using IPsec VPN clients from behind your NAT.  If you WERE using IPsec VPN clients from behind NAT, they would look like they were coming from "WAN address"  If you wanted them to come from ippublic3, you'd need to change that rule.

2. If WAN1 has traffic sourced from 192.168.35.0/24:any destined for any:any, translate the source address to "ippublic3"

In this mode, when from my client i check the public ip, is ippublic3, so i  think that this rule is right

Ok.

My advice is to back off, work one interface at a time, get your manual NAT where you want it for each, then move to the VPN, one tunnel at a time.  You might save more time resetting your configuration to factory, reentering your virtual IPs, resetting your LAN interfaces, selecting Manual NAT and taking a good look at the rules so you understand them.  All you should have to change are the "NAT address" columns in the automatic rules.

i am not happy to listen this, but i think what you're right…. in this moment i am very confused!

ok, i will resetting my pfsense or is better reinstall it?

My future pfsense:

ippublic1                            wan pfsense      -  lan1    (lan service to catch up my pfsense, with anti lookup rule)
ippublic2 (virutal ip)                                      - lan2    (lan for other logical lan with vlan)
                                                                          |
                                                                        lan3    (on vlan3, with ippublic2 and class 192.168.35.1), when ipsec tunel

Is ok to test all?

A couple things to note.

The only thing you should need to change after switching to manual outbound NAT is the "NAT Address" for the LAN3 rules (set to ippublic2 based on your new diagram).

Then just set up the IPsec tunnel.  You need to set the Interface in the IPsec configuration to the interface or virtual IP you want the IPsec to connect from and listen on (and that the other side is expecting to connect with).

Those are really the only two changes from a "normal" config that I can see.

Resetting to factory should be fine, as long as all the changes you've made were using the webAdmin and you haven't been making changes using the command line.  If you've been doing that, I'd reinstall.

cybermod

I don't think that rule has anything to do with your situation because you're not using IPsec VPN clients from behind your NAT.  If you WERE using IPsec VPN clients from behind NAT, they would look like they were coming from "WAN address"  If you wanted them to come from ippublic3, you'd need to change that rule.

ok, maybe i explain my situation very bad
Not client vpn for the clients beghind 192.168.35.0/24. The vpn is site to site between this gateway and another remote gateway.
This because the clients behind 192.168.35.0/24 must have access at a remote server with an application and some printers

A couple things to note.

The only thing you should need to change after switching to manual outbound NAT is the "NAT Address" for the LAN3 rules (set to ippublic2 based on your new diagram).

Then just set up the IPsec tunnel.  You need to set the Interface in the IPsec configuration to the interface or virtual IP you want the IPsec to connect from and listen on (and that the other side is expecting to connect with).

Those are really the only two changes from a "normal" config that I can see.

Resetting to factory should be fine, as long as all the changes you've made were using the webAdmin and you haven't been making changes using the command line.  If you've been doing that, I'd reinstall.

ok, i can do it, because i have used only the webAdmin.
I have some problems to understand the rest of your post, but i try to proceed step by step.

When i must pass from automatic nat to manual nat outbound rule?
1- set wan interface and lan interface + virtual ip
2- add the opt1 for the logical interface
3- add vlan3 and match it to a logical interface opt3
4- change from "automatic outbound nat rule" to "manual outbound nat rule"
5- set up the vpn ipsec profile
6- i start to pray
7- stop to pray and start to blaspheme

is it right?

Derelict

4.5 edit manual outbound nat rules setting both LAN3 rules to "NAT Address" of ippublic2.