NAT over IPSEC



  • Hi everyone,

    I've got a problem which I have spent hours trying to figure out but have been unsuccessful.  I hope someone is able to point me in the right direction.

    So here it goes…  :)

    I have two pfSense boxes connected to each other over an IPSEC link, one is at Site A and the other is at Site B, with the following addresses:

    SITE A
    WAN IP: 50.xxx.xxx.122
    LAN: 192.168.2.0/24

    SITE B
    WAN IP: 260.xxx.xxx.77
    LAN: 192.168.1.0/29

    The IPSEC link between both sites works fine and I am able to access the LANs from either site.  In other words, when I am at Site A I can access everything on 192.168.1.0/29  and when I am at Site B I can access everything on 192.168.2.0/24 .

    So, here is my problem:

    I need to be able to get to a machine with LAN IP 192.168.1.4 port 8080 at Site B from the Internet but from Site A's WAN IP.

    What I have done so far, which has obviously not worked is this:

    1. At Site A, I have created a firewall rule on the WAN interface which allows traffic to 192.168.1.4 port 8080.
    2. At Site A, I have created a NAT rule that forwards traffic from the WAN interface to 192.168.1.4  port 8080.

    When I browse to 50.xxx.xxx.122:8080, I don't get connected to 192.168.1.4 at Site B and just get a timeout message.

    Thank you in advance.
    Armen



  • Hi,

    It's not possible. You can see why here https://forum.pfsense.org/index.php?topic=53776.0



  • Hi kholmqvist,

    Thanks for your message.

    I did indeed see that post a few days ago and I was afraid it was going to be the same for me!  :-\

    Maybe my situation is a bit different than that of the gentleman in that post?  I'm just thinking "out loud" here but..

    • The device which will access from the WAN side will have a known IP address (or a couple from a known pool/subnet) so it won't be 0.0.0.0/0

    • The port will always be 8080

    So with these two differences I am hoping I can make it work.

    Again, I could be wrong but I will try and experiment a little with the Phase2 settings and some NAT settings.

    Here's hoping!


  • LAYER 8 Netgate

    You will need phase 2 entries for the "known pool/subnet" between the two sites. Site B will then only be able to access the "known pool/subnet" over IPsec. It will not be able to access it over the internet.

    I just built this and it seems to work. Only tested a port-forwarded ping.

    Or use OpenVPN. It excels at this. All of the talk in that thread about assigned interfaces and reply-to is done and works great.



  • Hi Derelict,

    Thanks for chiming in.

    Yes, I was experimenting with the Phase2 settings and was able to make things work!  :)

    Thanks again everyone for your thoughts and suggestions.

    pfSense rocks!

    Cheers,
    Armen


Log in to reply