Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Port Forwarding trought IPSEC tunnel

    NAT
    3
    3
    1781
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      execcr last edited by

      Hello,
      i'm here to ask if it is possibile to redirect a single port from the wan side of a pfsense box trought an ipsec tunnel to a macchine connected to a second router box on another location.
      But first i will explain the problem, maybe there are other solutions.

      In a month or two our internet connection at work will be replaced. We don't know how much time this will take (our telco operator says 1-2 days) but we have an exchange host on premise here and we don't like to loose connectivity like that.
      So, my idea is to make a pfsense machine on amazon aws, create an ipsec tunnel between our firewall/router (kerio control) and the pfsense machine and use the pfsense machine on aws as an exit point.
      Since i will not have landline i will use a LTE dongle for data connection but our mobile carrier only give us sim card with private address…
      So the chance is to connect the tunnel from our site (active node will be our local site, passive will be aws pfsense machine) and it should work.
      But now, i don't know if the reroute/redirection system will work.

      Any idea?

      1 Reply Last reply Reply Quote 0
      • jimp
        jimp Rebel Alliance Developer Netgate last edited by

        It can be done, but it is tricky.

        You have to form the P2 just right because the side with the WAN will have to be 0.0.0.0/0. That also means all Internet traffic from the target host will go over IPsec, which may not be what you want, but it's the only way to ensure the return traffic goes into the VPN.

        So you'll need something like this:

        Site with the inbound connections:

        • Port forward sending the connection through to the LAN at the remote site
        • IPsec P1 setup to the remote site
        • IPsec P2 setup as: Local: 0.0.0.0/0, Remote: x.x.x.x/32 (the target of the port forward)

        Remote site:

        • IPsec P1 setup to the main site
        • IPsec P2 setup as: Local: x.x.x.x/32 (the target of the port forward), Remote: 0.0.0.0/0
        • IPsec tab firewall rule to pass from any/* to the target of the port forward

        That should work, though it's kind of awkward. If it's pfSense on both sides, OpenVPN can handle that better so it doesn't force all of that server's outbound traffic over the VPN, too.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • K
          kuberan last edited by

          This is just what I was looking for…. (I think)
          The reason I want to do something like this, is WAN failover to LTE...

          We have a /26 IP range and host many services on site. The problem is LTE we one get a single IP and it is not even static. If we have to use the LTE we will have internet access but lose any hosted services.

          I would like to get a /26 range of IPs in a cloud provider and the portforward these IPs to the local servers on site. Then these will be the permanent IPs for those services. If we have to use LTE or change ISPs we would not have to think about the IPs changing or DNS ttl or anything like that.... this will also bring our uptime closer to the cloud provider's.

          Is this a good idea, or you think there is a smarter solution?
          Would IPSec or OpenVPN be the better options for the site-2-site VPN connection?

          Thanks

          1 Reply Last reply Reply Quote 0
          • First post
            Last post