NAT over IPSEC
I've got a problem which I have spent hours trying to figure out but have been unsuccessful. I hope someone is able to point me in the right direction.
So here it goes… :)
I have two pfSense boxes connected to each other over an IPSEC link, one is at Site A and the other is at Site B, with the following addresses:
WAN IP: 50.xxx.xxx.122
WAN IP: 260.xxx.xxx.77
The IPSEC link between both sites works fine and I am able to access the LANs from either site. In other words, when I am at Site A I can access everything on 192.168.1.0/29 and when I am at Site B I can access everything on 192.168.2.0/24 .
So, here is my problem:
I need to be able to get to a machine with LAN IP 192.168.1.4 port 8080 at Site B from the Internet but from Site A's WAN IP.
What I have done so far, which has obviously not worked is this:
- At Site A, I have created a firewall rule on the WAN interface which allows traffic to 192.168.1.4 port 8080.
- At Site A, I have created a NAT rule that forwards traffic from the WAN interface to 192.168.1.4 port 8080.
When I browse to 50.xxx.xxx.122:8080, I don't get connected to 192.168.1.4 at Site B and just get a timeout message.
Thank you in advance.
It's not possible. You can see why here https://forum.pfsense.org/index.php?topic=53776.0
Thanks for your message.
I did indeed see that post a few days ago and I was afraid it was going to be the same for me! :-\
Maybe my situation is a bit different than that of the gentleman in that post? I'm just thinking "out loud" here but..
The device which will access from the WAN side will have a known IP address (or a couple from a known pool/subnet) so it won't be 0.0.0.0/0
The port will always be 8080
So with these two differences I am hoping I can make it work.
Again, I could be wrong but I will try and experiment a little with the Phase2 settings and some NAT settings.
You will need phase 2 entries for the "known pool/subnet" between the two sites. Site B will then only be able to access the "known pool/subnet" over IPsec. It will not be able to access it over the internet.
I just built this and it seems to work. Only tested a port-forwarded ping.
Or use OpenVPN. It excels at this. All of the talk in that thread about assigned interfaces and reply-to is done and works great.
Thanks for chiming in.
Yes, I was experimenting with the Phase2 settings and was able to make things work! :)
Thanks again everyone for your thoughts and suggestions.