Inbound NAT to an L2TP client



  • I have a Synology NAS behind a NAT that I want to manage from outside. I can not administer the devices on this network, so the local port forward is impossible.

    My idea: connect the NAS with l2tp-over-ipsec VPN to my offsite pFsense server, and I setup a port forward here. Then I will able to reach the NAS from the LAN behind pFsense and from outside through the port forward.

    pFsense WAN interface: 4.4.4.4
    pFsense LAN interface: 10.2.2.1 (10.2.2.0/24)
    L2TP server address: 10.2.2.199
    L2TP clients: 10.2.2.200-220
    NAS: 10.2.2.00

    The VPN connection works like a charm, but the port forward doesn't because the NAS has different gateway. I read a lot, and tried to setup an outbound NAT rule (inbound actually :) ), but it didn't help.

    The port forward rule:

    Interface: WAN
    Protocol: TCP
    Source: any
    Destination: WAN address
    Destination port: 22
    Redirect target IP: 10.2.2.200
    Redirect target port: 22
    

    If I do not do anything else, the traffic on the VPN interface of the NAS looks like this:

    (I connect from 1.2.3.4 to 4.4.4.4:22)

    IP 1.2.3.4.49708 > 10.2.2.200.22: Flags [s], seq 318071338, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 984915754 ecr 0,sackOK,eol], length 0
    IP 1.2.3.4.49708 > 10.2.2.200.22: Flags [s], seq 318071338, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 984916754 ecr 0,sackOK,eol], length 0
    IP 1.2.3.4.49708 > 10.2.2.200.22: Flags [s], seq 318071338, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 984917755 ecr 0,sackOK,eol], length 0
    
    ...and the NAS answered on another interface. Yes, I know, this is normal because it uses different gateway, but the port forward rule seems to work :)
    
    So, then I added an "outbound NAT rule" for inbound NAT  ;)
    
    [code]Interface: L2TP VPN
    Protocol: TCP
    Source: any
    Destination: network, 10.2.2.200/32, port 22
    Address: Interface Address
    Port: -
    Static port: no[/code]
    
    The traffic is changed as follows:
    
    [code]IP 10.2.2.199.49763 > 10.2.2.200.22: Flags [s], seq 3722707245, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 985742941 ecr 0,sackOK,eol], length 0
    IP 10.2.2.200.22 > 10.2.2.199.49763: Flags [S.], seq 1324088540, ack 3722707246, win 14480, options [mss 1460,sackOK,TS val 25439268 ecr 985742941,nop,wscale 6], length 0
    IP 10.2.2.200.22 > 10.2.2.199.49763: Flags [S.], seq 1324088540, ack 3722707246, win 14480, options [mss 1460,sackOK,TS val 25439368 ecr 985742941,nop,wscale 6], length 0
    IP 10.2.2.199.49763 > 10.2.2.200.22: Flags [s], seq 3722707245, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 985743941 ecr 0,sackOK,eol], length 0
    ...
    ...
    
    So, pFsense has replaced my source address to the L2TP interface address (10.2.2.199), it is good. But the connection doesn't work, and timed out after 15-20 sec :( I tried to capture the traffic on my side, but pFsense didn't forward these packages to the original source address (1.2.3.4).  What went wrong?
    
    Thanks in advance for any help with this issue.
    [/s][/s][/code][/s][/s][/s]