Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Route inbound WAN traffic to server on remote tunneled network

    IPsec
    4
    17
    320
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      danisrael last edited by danisrael

      I have an appliance on the remote end of an IP SEC tunnel. This device travels around the US using a cradlepoint router that connects to the internet through various methods (sometimes LAN/LTE,WiFI, etc). Once the cradlepoint sees internet, it establishes an IP SEC tunnel to our corporate offices running pfSense 2.4.3 release p1. I'm always able to route traffic to the device from our internal LAN. However, I need to be able to route traffic via NAT/PORT FORWARD from the WAN interface at corporate to the device through the IP Sec tunnel. Essentially, trying to relay traffic to this device which is always relocating, with our static IP at the office.

      Again, LAN to device works perfectly. Just can't seem to get traffic inbound from my WAN to traverse the tunnel.

      Any suggestions?

      1 Reply Last reply Reply Quote 0
      • D
        danisrael last edited by danisrael

        I believe I've determined through packet capture, that after the NATing is done from the WAN attempt, it sends the traffic back out to the WAN instead of the IP sec tunnel. When I capture traffic attempt from the LAN side, it traverses the tunnel.

        1 Reply Last reply Reply Quote 0
        • johnpoz
          johnpoz LAYER 8 Global Moderator last edited by johnpoz

          Can you post up your port forward forward for this?

          ipsec changed a lot with 2.4.4 and the ability to use VTI.

          https://www.netgate.com/docs/pfsense/vpn/ipsec/ipsec-routed.html

          Not sure if what you were trying to do would work without the VTI.. @Derelict would no much more about this than me..

          Wouldn't it be easier to just hit the cradlepoints new IP directly, and let it in from your source IP that I assume is static. This would be way simpler then trying to portforward down a ipsec tunnel ;)

          Have not played with cradlepoint in a while - we have used them in a few setups. But I am almost positive you can have it update a dyndns with its current IP.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.01

          1 Reply Last reply Reply Quote 0
          • D
            danisrael last edited by danisrael

            johnpoz ... Actually, upgraded to 2.4.4 yesterday and began playing with VTI. However, haven't been able to get the PHASE 2 SA's to build using VTI.

            Regarding the port forward:
            0_1539184193274_e7edb314-a5a9-4c44-b418-28e04e20eeaa-image.png

            On going directly to the cradlepoints: These travel from stadium to stadium and are always provided internet connectivity ... but never directly. And they are always behind very highly secured firewalls. Establishing the VPN is possible, but reaching it directly is not. I did think about trying to relay through Azure or something, but not sure that is much different than this.

            Thanks for your assistance on this.

            1 Reply Last reply Reply Quote 0
            • jimp
              jimp Rebel Alliance Developer Netgate last edited by

              That should work without VTI provided you use a P2 for 0.0.0.0/0 on the pfSense end. That also means it will send all of its Internet traffic back through your side, though.

              Otherwise the port forward traffic will be forwarded across the VPN by pfSense and then the remote device will send the replies back out its WAN.

              There may be a way to rig something up with a local instance of a bounce or proxy daemon to work around that. If it's a TCP service maybe use haproxy, then Internet hosts hit haproxy, haproxy makes a new connection to the remote device, then it will reply back to the firewall which can relay the replies back to the client.

              Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              D 1 Reply Last reply Reply Quote 0
              • D
                danisrael @jimp last edited by

                @jimp I would only want that port being forwarded to traverse the tunnel as it is only up during GameDay. It is dead 99.9% of the time. Wouldn't pfsense write a route to the 192.168.200.x to the tunnel endpoint. That is how it routes traffic from the LAN.

                1 Reply Last reply Reply Quote 0
                • johnpoz
                  johnpoz LAYER 8 Global Moderator last edited by

                  This is a very interesting use case.. If I get a chance I will try and duplicate this... I have some vps I should be able to bring up a ipsec tunnel with. And then forward traffic through from public internet and hit the vps service.

                  I am wondering if part of the problem is going to be the other cradlepoint side where why would it route the return traffic back through the tunnel. Lets say your coming from public IP 1.2.3.4 and hitting your pfsense on port 9002, pfsense fowards this down the tunnel and you hit the service behind the cradlepoint... The service answers back to 1.2.3.4 - but why would that go back down the tunnel.. Wouldn't it just go out the default wan gateway on the cradlepoint.

                  Maybe if you setup the tunnel so that the cradlepoint knows to go back through the tunnel to get to 1.2.3.4.. Just spitballing here.. I don't recall ever having to do something like this before - but the source IP could be a problem. For the return traffic off the top of my head.

                  @Derelict for sure would be of great help in such a setup

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.01

                  D 1 Reply Last reply Reply Quote 0
                  • jimp
                    jimp Rebel Alliance Developer Netgate last edited by jimp

                    Traffic still has to match the P2 to enter or exit the tunnel, and the far side still has to send the replies back the way they entered. The only way to make that happen properly with tunneled IPsec is with a P2 for 0.0.0.0/0 to the device.

                    EDIT: And with VTI the far side still has to send the reply back the right way, which won't happen without something like reply-to in pf which who knows if cradlepoint has anything like that.

                    Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • D
                      danisrael @johnpoz last edited by

                      @johnpoz You may be right with the Cradlepoint not returning traffic, I haven't been able to get traffic to it yet to see. When i capture the IPSEC tunnel on the far end, i don't see any traffic unless i originate from the near end LAN.

                      1 Reply Last reply Reply Quote 0
                      • B
                        bfeitell last edited by

                        I am probably in way over my head here, but would it be possible to use OpenVPN? I'm pretty sure you can accomplish the reverse route with an iroute statement in the client specific overrides on the server side.

                        D 1 Reply Last reply Reply Quote 0
                        • D
                          danisrael @bfeitell last edited by

                          @bfeitell I don't know much about OpenVPN, but I believe it takes a client app on the far end, correct? One of the limitations on this is that the device I'm trying to reach is a hardware device, not computer. So the router at the far end has to make the connection.

                          1 Reply Last reply Reply Quote 0
                          • jimp
                            jimp Rebel Alliance Developer Netgate last edited by

                            It works great on pfSense with OpenVPN on both ends, you can port forward across and on the remote side you can have an assigned OpenVPN interface which will send the replies back because reply-to works fine.

                            But the remote here is a cradlepoint device so... ๐Ÿคท

                            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                            Need help fast? Netgate Global Support!

                            Do not Chat/PM for help!

                            1 Reply Last reply Reply Quote 0
                            • johnpoz
                              johnpoz LAYER 8 Global Moderator last edited by

                              Pretty sure cradlepoints supports both openvpn as server or client.
                              https://knowledgebase.cradlepoint.com/articles/Support/Series-3-OpenVPN-Client-Server-Configuration

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.01

                              jimp 1 Reply Last reply Reply Quote 0
                              • jimp
                                jimp Rebel Alliance Developer Netgate @johnpoz last edited by

                                @johnpoz said in Route inbound WAN traffic to server on remote tunneled network:

                                Pretty sure cradlepoints supports both openvpn as server or client.
                                https://knowledgebase.cradlepoint.com/articles/Support/Series-3-OpenVPN-Client-Server-Configuration

                                Sure but it would also need something like reply-to or the replies will go back the wrong way (out the cradlepoint WAN)

                                Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                                Need help fast? Netgate Global Support!

                                Do not Chat/PM for help!

                                1 Reply Last reply Reply Quote 0
                                • johnpoz
                                  johnpoz LAYER 8 Global Moderator last edited by

                                  Not sure on that...

                                  Couldn't you just have the cradlepoint bring up another ipsec tunnel to your other location?

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.01

                                  D 1 Reply Last reply Reply Quote 0
                                  • D
                                    danisrael @johnpoz last edited by danisrael

                                    @johnpoz The Cradlepoint is a MBR1200v1 ...unfortunately, it doesn't support the OpenVPN. I am checking into whether we can obtain an MBR1400. It sounds from reading through the VTI info that it would indeed function just like an interface. I need to continue experimenting with that and why I can't get the SAs to come up using VTI.

                                    I'm guessing the reason "tunnel" mode won't route from the WAN is the SPD that is being written:
                                    0_1539202369903_ae349cb9-79ec-44ca-8e52-ce69934f57fe-image.png

                                    This is allowing traffic through the tunnel from my endpoint to the far endpoint provided it's source is 192.168.0.0/18.

                                    1 Reply Last reply Reply Quote 0
                                    • johnpoz
                                      johnpoz LAYER 8 Global Moderator last edited by

                                      what about just bring up another ipsec tunnel to the other location(s) that would need to access?

                                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                                      If you get confused: Listen to the Music Play
                                      Please don't Chat/PM me for help, unless mod related
                                      2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.01

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post