Extending the Azure P2S VPN capabilities with Outbound NAT



  • Hi I'm buy no means a networking expert and have zero experience of the pfSense appliance!

    As I understand it the Azure P2S VPN gateway does not support “Source-NAT” or “Outbound Proxy”, and I am looking to mitigate this deficiency by adding a pfSense appliance to the configuration.

    Based on this prior example, If I have the following setup:

    • a P2S VPN established to an Azure VNET

    • a route added on the client routing table to specify next hop of a known public ip address to the the VPN tunnel

    • a pfSense appliance configured in the VNET (different subnet to VPN Gateway), with a static Public IP with IP Forwarding enabled

    • a User Defined Route for the public ip address as next hop to the pfSense appliance

    What configuration would I need to set up on the pfSense to ensure that traffic gets routed outbound to the known public IP address with the pfSense Appliance IP as the source (as the connection to the public IP would see it)?

    I saw this https://doc.pfsense.org/index.php/Routing_internet_traffic_through_a_site-to-site_IPsec_tunnel but the site A branch is a laptop anywhere on the internet using the Azure P2S VPN, and assume given the above I just need to apply the "Configure outbound NAT" section ?

    As a specific example, Azure hosts AzureSQL databases, and developer need to connect to it from where ever they are located, and the DB has a firewall that allows connection from specific IP address ranges. Azure publishes the it regional public ip subnets, and given above one can load these as applicable into the client routing table and the URD (per #2 and #4 above) and as DNS resolved the IP the traffic will route as expected…is this a correct assumption?

    All help appreciated!
    -Simon



  • 216 Views but no replies, any have any ideas ?



  • Its been a while, and given 775 view, an no replies, I guess I'm barking up the wrong tree…no one from pFsense have any comments ?