IPSEC behind NAT

jlevesque

Hi,

I have some problems and no clues on how to solve them

One of our remote sites is using a Wireless ISP, he installed an antenna, and put our firewall in it's "DMZ"

I'm still receiving a private IP behind the antenna, put all traffic is FW to my firewall.

Then i configure ipsec, tunnel goes up, but i'm having some problems passing traffic into it.

After some research, i concluded it's related to stateful traffic.

Ping is going through, but not some shared folder, http, etc. when i check the firewall logs, it's blocking some tcp:ra, etc. so i think the setup is screwing the traffic.

is there something to fix for those kind of setup?
I had some problems with another customer and disabling NAT-T did the trick (was on a fortigate) i think somehow the pfsense is detecting NAT but since i'm in the dmz there is no need for it but i can't disable it.

thanks!

jjj

@jlevesque:

I'm still receiving a private IP behind the antenna…. i think somehow the pfsense is detecting NAT but since i'm in the dmz there is no need for it but i can't disable it.

Being in the DMZ doesn't remove NAT unless your DMZ has public IP addressing (i.e. dual firewalls). Depending on your firewall, putting a node in the DMZ either forwards all ports from the public IP to that internal address…or does nothing besides put it in a separate, (typically) more restricted private network.

jlevesque

according to the WISP, it's is prefered alternative instead of the bridge mode, which gave i'm some problems

I'm still trying to solve this

I tried openvpn tunnel, same thing.