NAT Public IP from other NAT router via OpenVPN Site-to-Site VPN

  • Hi there, I am completely new to pfSense but have found the online guides and this Wiki extremely helpful in configuring a VPN between our new remote office and our head office. That being stated, I am faced with a unique challenge which I cannot for the life of me figure out. I have searched the Wiki and the web and cannot get a solution to this specific situation so now I need help and hope that someone can clarify this with steps, the IP's and Subnets are only examples to simplify, my actual production environment is different:

    Site A:

    pfSense Router at IP Address for OpenVPN Client Access Server on Port 1194 and OpenVPN Site-to-Site Server on Port 1195

    ISP Managed Router with 5 Static IP's NAT configured by them (I cannot do anything about this, it is the only option available) on same subnet as Site A (Due to the public IP NAT) at IP with static route for subnet through pfSense Router. (I cannot log in to this router)

    Site B:

    pfSense Router at IP Address, acts as NAT Gateway and OpenVPN Site-to-Site Client

    My ISP provides NAT for 5 public IP's to the subnet, of which I want to set up NAT on the pfSense Router to route traffic to and from these NAT internal IP's (I cannot move the router to a different subnet to use pfSense as a NAT Router for all traffic due to various other complications on our network relying on direct access through NAT Public IP's for now, once I get this to work I will change that but presently relying on the redunceny provided by that setup).

    So for the purposes of this question, how do I set up the Virtual IP's on the Site A network that will NAT the Site A NAT public IP to the hosts on Site B.


    Public IP is configured by ISP on their Router to NAT to internal IP
    pfSense at Site A has IP Alias on internal IP
    pfSense at Site A has 1:1 NAT Rule forwarding all traffic for VIP to Site B IP
    At Site A, pinging and using the VIP ( works perfectly and as predicted and I can access the host at Site B at IP (So my internal NAT seems to work).

    When I use the Public IP, I get nothing, tracert shows the IP up to the last nameserver in line for my ISP before hitting the Router. Where am I going wrong and can this even be done with a NAT behind a NAT? If I bring up a host on the internal LAN with the internal IP as per the ISP Router's NAT configuration it works perfectly so the issue is with the way I am trying to use pfSense.

    Any help will be greatly appreciated as I need the above to so that two of the public IP's can route to two specific hosts at Site B. I also had the ISP set up the NAT to translate the public IP directly to the remote site IP but due to the way their router handles NAT rules it cannot work.

Log in to reply