Port Forwarding trought IPSEC tunnel
i'm here to ask if it is possibile to redirect a single port from the wan side of a pfsense box trought an ipsec tunnel to a macchine connected to a second router box on another location.
But first i will explain the problem, maybe there are other solutions.
In a month or two our internet connection at work will be replaced. We don't know how much time this will take (our telco operator says 1-2 days) but we have an exchange host on premise here and we don't like to loose connectivity like that.
So, my idea is to make a pfsense machine on amazon aws, create an ipsec tunnel between our firewall/router (kerio control) and the pfsense machine and use the pfsense machine on aws as an exit point.
Since i will not have landline i will use a LTE dongle for data connection but our mobile carrier only give us sim card with private address…
So the chance is to connect the tunnel from our site (active node will be our local site, passive will be aws pfsense machine) and it should work.
But now, i don't know if the reroute/redirection system will work.
It can be done, but it is tricky.
You have to form the P2 just right because the side with the WAN will have to be 0.0.0.0/0. That also means all Internet traffic from the target host will go over IPsec, which may not be what you want, but it's the only way to ensure the return traffic goes into the VPN.
So you'll need something like this:
Site with the inbound connections:
- Port forward sending the connection through to the LAN at the remote site
- IPsec P1 setup to the remote site
- IPsec P2 setup as: Local: 0.0.0.0/0, Remote: x.x.x.x/32 (the target of the port forward)
- IPsec P1 setup to the main site
- IPsec P2 setup as: Local: x.x.x.x/32 (the target of the port forward), Remote: 0.0.0.0/0
- IPsec tab firewall rule to pass from any/* to the target of the port forward
That should work, though it's kind of awkward. If it's pfSense on both sides, OpenVPN can handle that better so it doesn't force all of that server's outbound traffic over the VPN, too.
This is just what I was looking for…. (I think)
The reason I want to do something like this, is WAN failover to LTE...
We have a /26 IP range and host many services on site. The problem is LTE we one get a single IP and it is not even static. If we have to use the LTE we will have internet access but lose any hosted services.
I would like to get a /26 range of IPs in a cloud provider and the portforward these IPs to the local servers on site. Then these will be the permanent IPs for those services. If we have to use LTE or change ISPs we would not have to think about the IPs changing or DNS ttl or anything like that.... this will also bring our uptime closer to the cloud provider's.
Is this a good idea, or you think there is a smarter solution?
Would IPSec or OpenVPN be the better options for the site-2-site VPN connection?