1 to 1 NAT for LAN subnet to WAN
-
If you can't acquire an additional public IP, my advice is that you generate an IPSec from your pFsense to your client's UTM
-
Ok so i cant use my current wan ip of my router 193.203.70.54
So i need to get an additional wan ip from my isp and i cqn use that to create a virtual ip?
-
When you say generate an ipsec, do you mean create an ipsec vpn
-
Yes, Internet Protocol Security (IPSec VPN)
-
But they would need to create an ipsec there end aswell so the two can talk to eachother ie site to site ipsec vpn
Is there no otherway to achieve this
-
A GRE tunnel was already mentioned by jonhpoz.
No, there is no other way than any kind of a tunnel to achieve that. -
It is correct, your client must also generate an IPSec connection in your UTM to have a secure connection from LAN to LAN.
If you intend to generate a NAT through your WAN with destination your entire LAN network, pFsense will not understand the meaning of this NAT and will simply do not anything about it, because pFsense will not have a specific destination to redirect your request.
This is the meaning of doing a NAT, this is how pFsense enables connections from the WAN to an internal and specific query service on your LAN.
I insist, the best option is generate IPSec in your pFsense and in the UTM of your client.
-
You can do 1:1 NAT but since you only have one address you can only do one of them. And that will remove the ability to bind anything else on the WAN address.
If they only want to connect to one service, you can port forward:
Wan_Address:3389 10.30.0.1:3389
Wan_Address:3390 10.30.0.2:3389
Wan_Address:3391 10.30.0.3:3389
Wan_Address:3392 10.30.0.4:3389
etc.As has been said above, A VPN is how this is done. That is what you should insist on. Anything else is pretty much wrong.
-
a GRE tunnel sounds interesting, how do you do that
is that with 1 to 1 NAT or via IPsec
-
Once you have a tunnel there is no need for 1:1 nat or any nat.. The tunnel is used to route the traffic to get to your network.. The whole POINT to a vpn..
If you were going to create a tunnel - there is zero reason not to encrypt it because its going over the public internet.