Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT over IPSEC

    Scheduled Pinned Locked Moved NAT
    5 Posts 3 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      armeniki
      last edited by

      Hi everyone,

      I've got a problem which I have spent hours trying to figure out but have been unsuccessful.  I hope someone is able to point me in the right direction.

      So here it goes…  :)

      I have two pfSense boxes connected to each other over an IPSEC link, one is at Site A and the other is at Site B, with the following addresses:

      SITE A
      WAN IP: 50.xxx.xxx.122
      LAN: 192.168.2.0/24

      SITE B
      WAN IP: 260.xxx.xxx.77
      LAN: 192.168.1.0/29

      The IPSEC link between both sites works fine and I am able to access the LANs from either site.  In other words, when I am at Site A I can access everything on 192.168.1.0/29  and when I am at Site B I can access everything on 192.168.2.0/24 .

      So, here is my problem:

      I need to be able to get to a machine with LAN IP 192.168.1.4 port 8080 at Site B from the Internet but from Site A's WAN IP.

      What I have done so far, which has obviously not worked is this:

      1. At Site A, I have created a firewall rule on the WAN interface which allows traffic to 192.168.1.4 port 8080.
      2. At Site A, I have created a NAT rule that forwards traffic from the WAN interface to 192.168.1.4  port 8080.

      When I browse to 50.xxx.xxx.122:8080, I don't get connected to 192.168.1.4 at Site B and just get a timeout message.

      Thank you in advance.
      Armen

      1 Reply Last reply Reply Quote 0
      • K
        kholmqvist
        last edited by

        Hi,

        It's not possible. You can see why here https://forum.pfsense.org/index.php?topic=53776.0

        1 Reply Last reply Reply Quote 0
        • A
          armeniki
          last edited by

          Hi kholmqvist,

          Thanks for your message.

          I did indeed see that post a few days ago and I was afraid it was going to be the same for me!  :-\

          Maybe my situation is a bit different than that of the gentleman in that post?  I'm just thinking "out loud" here but..

          • The device which will access from the WAN side will have a known IP address (or a couple from a known pool/subnet) so it won't be 0.0.0.0/0

          • The port will always be 8080

          So with these two differences I am hoping I can make it work.

          Again, I could be wrong but I will try and experiment a little with the Phase2 settings and some NAT settings.

          Here's hoping!

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            You will need phase 2 entries for the "known pool/subnet" between the two sites. Site B will then only be able to access the "known pool/subnet" over IPsec. It will not be able to access it over the internet.

            I just built this and it seems to work. Only tested a port-forwarded ping.

            Or use OpenVPN. It excels at this. All of the talk in that thread about assigned interfaces and reply-to is done and works great.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • A
              armeniki
              last edited by

              Hi Derelict,

              Thanks for chiming in.

              Yes, I was experimenting with the Phase2 settings and was able to make things work!  :)

              Thanks again everyone for your thoughts and suggestions.

              pfSense rocks!

              Cheers,
              Armen

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.