4. NAT over IPSEC

NAT over IPSEC

  • A

    Hi everyone,

    I've got a problem which I have spent hours trying to figure out but have been unsuccessful.  I hope someone is able to point me in the right direction.

    So here it goes…  :)

    I have two pfSense boxes connected to each other over an IPSEC link, one is at Site A and the other is at Site B, with the following addresses:

    SITE A
    WAN IP: 50.xxx.xxx.122
    LAN: 192.168.2.0/24

    SITE B
    WAN IP: 260.xxx.xxx.77
    LAN: 192.168.1.0/29

    The IPSEC link between both sites works fine and I am able to access the LANs from either site.  In other words, when I am at Site A I can access everything on 192.168.1.0/29  and when I am at Site B I can access everything on 192.168.2.0/24 .

    So, here is my problem:

    I need to be able to get to a machine with LAN IP 192.168.1.4 port 8080 at Site B from the Internet but from Site A's WAN IP.

    What I have done so far, which has obviously not worked is this:

    1. At Site A, I have created a firewall rule on the WAN interface which allows traffic to 192.168.1.4 port 8080.
    2. At Site A, I have created a NAT rule that forwards traffic from the WAN interface to 192.168.1.4  port 8080.

    When I browse to 50.xxx.xxx.122:8080, I don't get connected to 192.168.1.4 at Site B and just get a timeout message.

    Thank you in advance.
    Armen

    0
  • K

    Hi,

    It's not possible. You can see why here https://forum.pfsense.org/index.php?topic=53776.0

    0
  • A

    Hi kholmqvist,

    Thanks for your message.

    I did indeed see that post a few days ago and I was afraid it was going to be the same for me!  :-\

    Maybe my situation is a bit different than that of the gentleman in that post?  I'm just thinking "out loud" here but..

    • The device which will access from the WAN side will have a known IP address (or a couple from a known pool/subnet) so it won't be 0.0.0.0/0

    • The port will always be 8080

    So with these two differences I am hoping I can make it work.

    Again, I could be wrong but I will try and experiment a little with the Phase2 settings and some NAT settings.

    Here's hoping!

    0
  • LAYER 8 Netgate

    You will need phase 2 entries for the "known pool/subnet" between the two sites. Site B will then only be able to access the "known pool/subnet" over IPsec. It will not be able to access it over the internet.

    I just built this and it seems to work. Only tested a port-forwarded ping.

    Or use OpenVPN. It excels at this. All of the talk in that thread about assigned interfaces and reply-to is done and works great.

    0
  • A

    Hi Derelict,

    Thanks for chiming in.

    Yes, I was experimenting with the Phase2 settings and was able to make things work!  :)

    Thanks again everyone for your thoughts and suggestions.

    pfSense rocks!

    Cheers,
    Armen

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy