Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Trubl Port Forward WAN to IPSec tunel host

    Scheduled Pinned Locked Moved NAT
    11 Posts 2 Posters 9.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mic.bummer
      last edited by

      Hello
      I have a problem
      Forward does not work from WAN adress (office 1) to IPSec tunel host (office 2)
      Please tell me what is the reason  :-[
      Thank you! :)

      I'm sorry, I did not find spoiler :o

      [img]https://pp.vk.me/c638021/v638021615/664e/e8Nku_h_Xbs.jpg


      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        When the traffic from the internet host is forwarded to an IPsec host, it does not match the phase 2 traffic selector because the source address is the internet address.

        Only traffic between 10.0.0.0/24 and 10.20.21.0/24 is "interesting" to IPsec.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • M
          mic.bummer
          last edited by

          @Derelict:

          When the traffic from the internet host is forwarded to an IPsec host, it does not match the phase 2 traffic selector because the source address is the internet address.

          Only traffic between 10.0.0.0/24 and 10.20.21.0/24 is "interesting" to IPsec.

          Can I use a different method VPN?

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            You can do this with OpenVPN.

            This is an example of forwarding ssh requests from the internet over OpenVPN to a destination server:

            https://forum.pfsense.org/index.php?topic=82732.msg453269#msg453269

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • M
              mic.bummer
              last edited by

              @Derelict:

              You can do this with OpenVPN.

              This is an example of forwarding ssh requests from the internet over OpenVPN to a destination server:

              https://forum.pfsense.org/index.php?topic=82732.msg453269#msg453269

              According to the recommendations made settings
              Forwarding to WAN office 1 does not work  :(
              Please tell me where I could be wrong?

              Many thanks!

              1.jpg
              1.jpg_thumb
              2.jpg
              2.jpg_thumb
              4.jpg
              4.jpg_thumb
              5.jpg
              5.jpg_thumb
              6.jpg
              6.jpg_thumb

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Are there any rules on the OpenVPN tab next to OPT1?

                If so, delete or disable them.

                As soon as there are no rules on OpenVPN, do a Diagnostics > Packet Capture on that OPT1 interface using host address 10.10.21.10 port 3389 and try a couple times. What do you see there?

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • M
                  mic.bummer
                  last edited by

                  @Derelict:

                  Are there any rules on the OpenVPN tab next to OPT1?

                  If so, delete or disable them.

                  As soon as there are no rules on OpenVPN, do a Diagnostics > Packet Capture on that OPT1 interface using host address 10.10.21.10 port 3389 and try a couple times. What do you see there?

                  Tried 2-4 attempts for 3-5 minutes  :o

                  1.jpg
                  1.jpg_thumb
                  2.JPG
                  2.JPG_thumb
                  3.JPG
                  3.JPG_thumb

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    Then the traffic is not making it that far.

                    Post your OpenVPN configs on both sides.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • M
                      mic.bummer
                      last edited by

                      @Derelict:

                      Then the traffic is not making it that far.

                      Post your OpenVPN configs on both sides.

                      Office1(openvpnserver).jpg
                      Office1(openvpnserver).jpg_thumb
                      Office1(openvpnclient).jpg
                      Office1(openvpnclient).jpg_thumb

                      1 Reply Last reply Reply Quote 0
                      • M
                        mic.bummer
                        last edited by

                        @Derelict:

                        You can do this with OpenVPN.

                        This is an example of forwarding ssh requests from the internet over OpenVPN to a destination server:

                        https://forum.pfsense.org/index.php?topic=82732.msg453269#msg453269

                        I re-read your statement, and I have everything working !!
                        Excellent!!
                        Thank you very much!

                        1 Reply Last reply Reply Quote 0
                        • DerelictD
                          Derelict LAYER 8 Netgate
                          last edited by

                          Outstanding. Thanks.

                          Chattanooga, Tennessee, USA
                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.