4. Inbound NAT to an L2TP client

Inbound NAT to an L2TP client

  • C

    I have a Synology NAS behind a NAT that I want to manage from outside. I can not administer the devices on this network, so the local port forward is impossible.

    My idea: connect the NAS with l2tp-over-ipsec VPN to my offsite pFsense server, and I setup a port forward here. Then I will able to reach the NAS from the LAN behind pFsense and from outside through the port forward.

    pFsense WAN interface: 4.4.4.4
    pFsense LAN interface: 10.2.2.1 (10.2.2.0/24)
    L2TP server address: 10.2.2.199
    L2TP clients: 10.2.2.200-220
    NAS: 10.2.2.00

    The VPN connection works like a charm, but the port forward doesn't because the NAS has different gateway. I read a lot, and tried to setup an outbound NAT rule (inbound actually :) ), but it didn't help.

    The port forward rule:

    Interface: WAN
Protocol: TCP
Source: any
Destination: WAN address
Destination port: 22
Redirect target IP: 10.2.2.200
Redirect target port: 22

    If I do not do anything else, the traffic on the VPN interface of the NAS looks like this:

    (I connect from 1.2.3.4 to 4.4.4.4:22)

    IP 1.2.3.4.49708 > 10.2.2.200.22: Flags [s], seq 318071338, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 984915754 ecr 0,sackOK,eol], length 0
IP 1.2.3.4.49708 > 10.2.2.200.22: Flags [s], seq 318071338, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 984916754 ecr 0,sackOK,eol], length 0
IP 1.2.3.4.49708 > 10.2.2.200.22: Flags [s], seq 318071338, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 984917755 ecr 0,sackOK,eol], length 0

...and the NAS answered on another interface. Yes, I know, this is normal because it uses different gateway, but the port forward rule seems to work :)

So, then I added an "outbound NAT rule" for inbound NAT  ;)

[code]Interface: L2TP VPN
Protocol: TCP
Source: any
Destination: network, 10.2.2.200/32, port 22
Address: Interface Address
Port: -
Static port: no[/code]

The traffic is changed as follows:

[code]IP 10.2.2.199.49763 > 10.2.2.200.22: Flags [s], seq 3722707245, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 985742941 ecr 0,sackOK,eol], length 0
IP 10.2.2.200.22 > 10.2.2.199.49763: Flags [S.], seq 1324088540, ack 3722707246, win 14480, options [mss 1460,sackOK,TS val 25439268 ecr 985742941,nop,wscale 6], length 0
IP 10.2.2.200.22 > 10.2.2.199.49763: Flags [S.], seq 1324088540, ack 3722707246, win 14480, options [mss 1460,sackOK,TS val 25439368 ecr 985742941,nop,wscale 6], length 0
IP 10.2.2.199.49763 > 10.2.2.200.22: Flags [s], seq 3722707245, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 985743941 ecr 0,sackOK,eol], length 0
...
...

So, pFsense has replaced my source address to the L2TP interface address (10.2.2.199), it is good. But the connection doesn't work, and timed out after 15-20 sec :( I tried to capture the traffic on my side, but pFsense didn't forward these packages to the original source address (1.2.3.4).  What went wrong?

Thanks in advance for any help with this issue.
[/s][/s][/code][/s][/s][/s]
    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy