Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Inbound NAT to an L2TP client

    Scheduled Pinned Locked Moved NAT
    1 Posts 1 Posters 866 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      Chal
      last edited by

      I have a Synology NAS behind a NAT that I want to manage from outside. I can not administer the devices on this network, so the local port forward is impossible.

      My idea: connect the NAS with l2tp-over-ipsec VPN to my offsite pFsense server, and I setup a port forward here. Then I will able to reach the NAS from the LAN behind pFsense and from outside through the port forward.

      pFsense WAN interface: 4.4.4.4
      pFsense LAN interface: 10.2.2.1 (10.2.2.0/24)
      L2TP server address: 10.2.2.199
      L2TP clients: 10.2.2.200-220
      NAS: 10.2.2.00

      The VPN connection works like a charm, but the port forward doesn't because the NAS has different gateway. I read a lot, and tried to setup an outbound NAT rule (inbound actually :) ), but it didn't help.

      The port forward rule:

      Interface: WAN
Protocol: TCP
Source: any
Destination: WAN address
Destination port: 22
Redirect target IP: 10.2.2.200
Redirect target port: 22

      If I do not do anything else, the traffic on the VPN interface of the NAS looks like this:

      (I connect from 1.2.3.4 to 4.4.4.4:22)

      IP 1.2.3.4.49708 > 10.2.2.200.22: Flags [s], seq 318071338, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 984915754 ecr 0,sackOK,eol], length 0
IP 1.2.3.4.49708 > 10.2.2.200.22: Flags [s], seq 318071338, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 984916754 ecr 0,sackOK,eol], length 0
IP 1.2.3.4.49708 > 10.2.2.200.22: Flags [s], seq 318071338, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 984917755 ecr 0,sackOK,eol], length 0

...and the NAS answered on another interface. Yes, I know, this is normal because it uses different gateway, but the port forward rule seems to work :)

So, then I added an "outbound NAT rule" for inbound NAT  ;)

[code]Interface: L2TP VPN
Protocol: TCP
Source: any
Destination: network, 10.2.2.200/32, port 22
Address: Interface Address
Port: -
Static port: no[/code]

The traffic is changed as follows:

[code]IP 10.2.2.199.49763 > 10.2.2.200.22: Flags [s], seq 3722707245, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 985742941 ecr 0,sackOK,eol], length 0
IP 10.2.2.200.22 > 10.2.2.199.49763: Flags [S.], seq 1324088540, ack 3722707246, win 14480, options [mss 1460,sackOK,TS val 25439268 ecr 985742941,nop,wscale 6], length 0
IP 10.2.2.200.22 > 10.2.2.199.49763: Flags [S.], seq 1324088540, ack 3722707246, win 14480, options [mss 1460,sackOK,TS val 25439368 ecr 985742941,nop,wscale 6], length 0
IP 10.2.2.199.49763 > 10.2.2.200.22: Flags [s], seq 3722707245, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 985743941 ecr 0,sackOK,eol], length 0
...
...

So, pFsense has replaced my source address to the L2TP interface address (10.2.2.199), it is good. But the connection doesn't work, and timed out after 15-20 sec :( I tried to capture the traffic on my side, but pFsense didn't forward these packages to the original source address (1.2.3.4).  What went wrong?

Thanks in advance for any help with this issue.
[/s][/s][/code][/s][/s][/s]
      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.