1:1 NAT + Outbound NAT over VPN - issue on WAN gateway
-
Hello everyone,
I'm facing this strange issue with a single device which is the 192.168.2.1 gateway.
- I'm accessing from position USER.
- I have correct routes to VPN Server as remote access user.
- Blue pfSense is site to site client on grey pfSense VPN Server. Routes ok.
- 1:1 NAT on VPN interface from 192.168.36.0/24 -> 192.168.2.0/24
- Outbound NAT network 192.168.2.0/24 to translate to WAN address.
device 192.168.2.17 has gateway 2.200 (modem A) - i can access over VPN with 1:1 translation by typing 192.168.36.17 & 192.168.36.200 also Working.
device 192.168.2.102 has gateway 2.1 (modem B) - i can access over VPN with 1:1 translation by typing 192.168.36.102 BUT, the access on Modem B by 192.168.36.1 IS NOT Working.I can't understand where is the problem, since all devices are working, but this specific device not, it times out and then i have in the browser:
http://192.168.2.1/html/index.html?origin=aHR0cDovLzE5Mi4xNjguMzYuMS8=
http://192.168.2.1/html/index.html?url=192.168.2.1
This 4G modem is the one used for VPN to the VPN Server.
The other 4G modem on 192.168.2.200 is accessible via 192.168.36.200 !Is it a device issue? Locally from LAN35 it can successfully outbound to 192.168.2.1. Any comments appreciated, don't know what else to try. Diagram for better view:
-
@bambos said in 1:1 NAT + Outbound NAT over VPN - issue on WAN gateway:
I can't understand where is the problem, since all devices are working, but this specific device not, it times out and then i have in the browser:
http://192.168.2.1/html/index.html?origin=aHR0cDovLzE5Mi4xNjguMzYuMS8=
http://192.168.2.1/html/index.html?url=192.168.2.1Looks to me if your browser is redirected by the web server to 192.168.2.1.
To analyse you can load the page in the debugger mode in your browser (F12, then select the network tab). I assume you will see redirections (code 301 or 302) to 192.168.2.1.
Why are you doing this with NAT 1:1 and do not simply set the correct route for 192.168.2.0/24?
-
@viragomann Hello my friend.
The reason i'm trying to make this with 1:1 NAT is because there are many sites with the same LAN IP, 192.168.2.0/24 and need to avoid conflicts.BUT, i have made the routes on the LAN2 directly without 1:1 NAT translation and i'm able to access 192.168.2.1 with no issues. So is clearly 1:1 NAT issue with the specific device.
-
@bambos
It's on the destination device.
If its web server redirects the browser to its real IP you're lost with NAT on the client.
You may type in 192.168.36.1, but the server tells the browser to call 192.168.2.1, which you have no route for. -
@viragomann Thank you Sir, i'm avoiding 1:1 NAT on new installations, but sometimes there are issues like that.
Next step is to use a LAN port on the pfSense firewall to "reproduce" the 2.1 gateway and put the modem on a dedicated port as WAN on another range. This way i think will be ok because the outbound will not be translated.