Route External IP over IPSec VPN (NAT'ed) on pfSense 2.2.5



  • Good afternoon,
    I have been digging into this for much of the day.

    We have 2 servers that are housed at one of our branch sites. This site is configured as 10.1.8.x network, with the two servers being 10.1.8.20 and 10.1.8.101.
    They site behind a Sonicwall NSA 3600 and Internet line that does not have enough external IP's to accept traffic over.

    We have a remote site that operates a pfSense 2.2.5 firewall that has 5 unused public IP's. We have an IPSec VPN configured between both sites, allowing for traffic to flow. I have tested each site can successfully access resources on both sides.

    What we want to do is take one of the external IP's at the remote site, NAT this across the IPSec VPN to the 10.1.8.X server and then control the firewall ports on the pfSense firewall to limit access. We are fine with all traffic from X server going over this VPN vs directly out.

    So full map...

    External IP 1.1.1.1 --> pfSense External IP (IP configured as a Virtual IP) --> pfSense Internal IP (10.80.110.1) --> Over IPSec VPN to 10.1.8.x Network --> Sonicwall --> Server 10.1.8.20 (eventually block down to ports 443, 80, etc)

    I can fully connect to the server at 10.1.8.20 or 101 from a server sitting on the 10.80.110.X network, so I know the VPN is good, and access over any port has worked perfectly since we allow all traffic across. What we can't get to work is taking the external IP NAT'ing it to go across the IPSec VPN to 10.1.8.20.

    Any help would be appreciated!
    Tom