Using Cloud Provider IP with my Home LAN through Site-to-Site VPN



  • Good day,

    I have a working site-to-site setup with OpenVPN that works great (actually have 3 sites that talk to each other very well). I would like to add an additional Public IP to my Firewall in the Cloud (from my Cloud provider) and route it to a server in my Home LAN though the site-to-site setup. Let's say I want to access a web server in my house through the public IP in the Cloud.

    Is this possible? I have the IP, I tried to configure a Firewall/VirtualIP, a Firewall/NAT/1:1 and a rule (tried LAN and OpenVPN) without success. I noticed I can only route to LAN or LAN_net and not VPN (in the Cloud firewall)? What could I be missing? Is there something to do on the 2nd firewall (my HomeLAN)?

    Running latest firmware : 2.4.4-RELEASE-p2

    Thanks ahead,
    JP


  • Rebel Alliance Moderator

    Is this possible?

    As I understand you have an instance in a cloud, get a second IP there and want to route the traffic from this second IP to a server in your home LAN via a VPN tunnel? Yes that is possible with a 1:1 NAT or port forwarding. Routing isn't possible as in most cases you don't get those IPs routed to you.
    An easy way to do that would be to use an OpenVPN site2site tunnel (shared key) with your cloud instance.

    Greets
    Jens



  • Thank you for the reply. That is exactly what I want to do. I have a working site2site with shared key (I can pig trafic form one to another). The second site is another APU4 firewall in my home (isolated like a DMZ).

    I guess I'm close and I was looking at it the right way, but no success.

    On the Cloud pfSense :

    • I configured a Firewall/VirtualIP (IP Alias, WAN, Single Address 45.55.97.XX/32) - not much more to do here.
    • I configured a Firewall/NAT/1:1 (Interface WAN, External Subnet IP 45.55.97.XX, Internal IP 10.101.10.101 (working, I can ping from Cloud firewall to home LAN firewall 10.101.10.101), Destination Any). Is it an issue that the second IP isn't in the same subnet? Do I need to reconfigure a gateway with this new IP ?

    I noticed in Diagnostics/Route that my 10.101.0.0/16 (home) has Gateway 10.150.101.2, Flags UGS and Netif ovpns2 while my new public IP has 2 enties:

    • 45.55.97.XX, Gateway link#1, UHS, lo0
    • and 45.55.97.XX/32, Gateway link#1, U, vtnet0).
      Should I not see Netif ovpns2 ?

    Plus, should I be doing a firewall rule in the LAN or OpenVPN section? On each side? Right now I put an Any/Any rule to test. I'm just trying to reach port 22 cause I don't have a web server - will really be a Kubernetes Cluster in the end. I'll will tighten it up once it works. No need to open the whole internet in my home ! That's why I put a firewall and a site2site in the first place!

    Just a cool way to get a static IP from the Cloud in our homes without bothering with ISP (dynamic iP or a commercial account fo IP) or DynDNS cname... A lookup would show the Cloud provider (but it's in my home!). With some providers you can benefit form services like anti-DOS on the IP... Fun little project, no?

    Excited to get it working.
    Thanks again,

    JP


  • Rebel Alliance Moderator

    @jpcyrenne2 said in Using Cloud Provider IP with my Home LAN through Site-to-Site VPN:

    Is it an issue that the second IP isn't in the same subnet? Do I need to reconfigure a gateway with this new IP ?

    No, as long as the IP is routable and reachable and the cloud instance knows what to do with it, setting that as the target IP is no problem.

    @jpcyrenne2 said in Using Cloud Provider IP with my Home LAN through Site-to-Site VPN:

    45.55.97.XX, Gateway link#1, UHS, lo0
    and 45.55.97.XX/32, Gateway link#1, U, vtnet0).
    Should I not see Netif ovpns2 ?

    I suppose the two XX are the separate IPs, one the original one of your cloud instance and the other one the second IP you booked additionally?
    No, that should not bei ovpns2. That would only make sense if the VPN daemon itself would hand out or bind to that IP as its transfer network. But you have the IP on WAN or better vtnet0 (on the hardware/virtual interface). The other is an AliasIP (I suppose?) so it's added on the loopback interface. Nothing wrong with that.

    Did you check that your second IP is working at all after you got it and configured it as alias IP on pfSense? Did you Ping from it or did you try to connect to it and saw incoming traffic for that IP (or blocked packages with that target IP)?

    @jpcyrenne2 said in Using Cloud Provider IP with my Home LAN through Site-to-Site VPN:

    Plus, should I be doing a firewall rule in the LAN or OpenVPN section? On each side? Right now I put an Any/Any rule to test

    As to not overcomplicating things, I'd add a any-any rule to both sides in the OpenVPN rules tab to make the tunnel transparent and non-blocking and filter via rules on the WAN (on the cloud instance) or on your LAN (on your home side).

    @jpcyrenne2 said in Using Cloud Provider IP with my Home LAN through Site-to-Site VPN:

    I'm just trying to reach port 22 cause I don't have a web server

    than a port forward of tcp/22 is enough, no need for 1:1 NAT then.

    Just a cool way to get a static IP from the Cloud in our homes without bothering with ISP (dynamic iP or a commercial account fo IP) or DynDNS cname... A lookup would show the Cloud provider (but it's in my home!). With some providers you can benefit form services like anti-DOS on the IP... Fun little project, no?

    We had to use the same method for a while after rigging down a datacenter and relocating, as a few customers still had services bound to the IPs from that old DC/ISP so we needed a possibility to get the traffic from those IPs to our new location. Did the same there: removed everything but a small VM host from the DC and started a small pfSense VM there to just fire up a VPN tunnel to our new location and route those few external IPs to our new location. Didn't even add that much latency to the requests and was really robust and stable for the months it was needed.



  • Had a little issue playing with the rules and lost my cloud pfsense. I was able to put a backup through the provider's console, phew! I tied many scenarios with the port forward with no success ? I even tried on the main configured IP. I can't get the trafic to go through the site2site from WAN it seems?

    Back to basics. I set up an nginx on port 8080 (not to mess with the firewall ports and lock myself out again) on a RPI in the remote LAN. If I use the Diagnostics/Test port I can access port 10.101.10.10:8080 from my CloudWAN to my site2site LAN?

    Now if I go to Firwall/Port Forward. I can not get it to work? It seems pretty simple and staight foward (creates my NAT firewall rule).

    Interface : WAN
    Protocol : TCP
    Source : Any
    Source port range : 8080-8080
    Destination : single host or alias 10.101.10.10 /32
    Destination port range : 8080-8080
    Redirect target IP : 10.101.10.10
    NAT reflection : use system default

    Not sure it's worth putting more time on this since i'll probably never be able to redirect ports 443 towards the internal nginx or 22 to a node. HTTPS and SSH are used for the firewall on the main IP.

    That's why I'd rather bind another IP (Virtual IP) and control all the ports I need from that IP to a 1:1 (lik a security goup in AWS I guess where I control ingress/egress to the node). Make sense?

    Again to simplify things, I'll use baby steps. I'll just try to get a second IP from the provider to respond to port 8080 (I know it works internally from the Diagnostics/Test port). I deleted the Port Foward rule and start clean again.

    Virtual IP
    Type: IP Alias (should I be doing a CARP VIP here?)
    Inteface: WAN
    Address type: Single address
    Address: 45.55.97.93 /32

    Firewall/NAT/1:1
    Interface: WAN
    External subnet IP: 45.55.97.93
    Internal IP: Single Host 10.101.10.10
    Destination: Any

    Firewall/Rules/WAN
    Action: Pass
    Inteface : WAN
    Address Family: IPv4
    Protocol: TCP
    Source: Any
    Destination: LAN net (Diagnostic/Test port on LAN interface 10.101.10.10 and good)
    Destination Port Range : Any - Any

    If I call the webpage on http://45.55.97.93:8080 I do not get any response in the browser : This site can’t be reached.

    If I change the above firewall rule to:
    Destination: Single host or alias 10.101.10.10

    Same thing... can't reach.

    I guess it's now time to troubleshoot:

    Routes:
    45.55.97.93 link#1 UHS lo0
    45.55.97.93/32 link#1 U vtnet0

    DiagnosticsPacket Capture
    I don't get trafic on port 8080 from 2nd IP http://45.55.97.93:8080
    I do get trafic on port 8080 from firewall IP http://104.131.46.131:8080
    17:32:01.869709 IP 70.52.115.250.62990 > 104.131.46.131.8080: tcp 0
    17:32:01.869784 IP 70.52.115.250.62989 > 104.131.46.131.8080: tcp 0
    17:32:02.087819 IP 70.52.115.250.62991 > 104.131.46.131.8080: tcp 0
    17:32:05.692102 IP 70.52.115.250.62989 > 104.131.46.131.8080: tcp 0
    17:32:05.692189 IP 70.52.115.250.62990 > 104.131.46.131.8080: tcp 0

    So now I finally have something to work with!

    Would this be a Provider issue or an IP configuration error on my side?
    (External subnet IP: 45.55.97.93) I don't hav anything else to enter (usually IP, mask, default gateway are minimal)

    Thanks in advance once again for any help,

    JP



  • Same with a simple ping. I don't get trafic to the 2nd IP, but OK with main firewall IP.

    17:50:54.842416 IP 144.217.94.122 > 104.131.46.131: ICMP echo request, id 564, seq 10, length 64
    17:50:55.866334 IP 144.217.94.122 > 104.131.46.131: ICMP echo request, id 564, seq 11, length 64
    17:50:56.890367 IP 144.217.94.122 > 104.131.46.131: ICMP echo request, id 564, seq 12, length 64
    17:50:57.914347 IP 144.217.94.122 > 104.131.46.131: ICMP echo request, id 564, seq 13, length 64

    Same question in my head: a Provider issue or I need to change something with Virtual IP ?

    Thanks,

    JP


  • Rebel Alliance Moderator

    @jpcyrenne2 said in Using Cloud Provider IP with my Home LAN through Site-to-Site VPN:

    Same with a simple ping. I don't get trafic to the 2nd IP, but OK with main firewall IP.

    If you ping the second IP from an external source and check the tcpdump / packet capture on the cloud pfsense - is there any incoming package to the secondary IP visible? If not stop right there and check back with your provider, because then you've got a routing/IP issue :)


Log in to reply