NAT through VPN to remoted site



  • Hi
    I am trying to do the following

                                         NAT to RDP works
                                  /  Lan 10.46.127.10/24 
    

    Ext Client (WAN) -> (IP_ext) FW

                                  \  S2S(PreShared-172.31.254.0/24) <-> TerminalServer(10.45.127.10/26) 
    

    But NAT directly to 10.45.127.10 do not work
    I can see the NAT are used but I cannot see the traffic is going anywhere.
    How do I direct it down through then OpenVPN S2S over to the TerminalServer.
    From the LAN everything works but not from the NAT

    Regards
    Henning



  • @hsv Can you elaborate what exactly you mean by "from the nat"
    A proper network diagram could also help understand the question.



  • @hsv

    Why are you using NAT on a VPN?



  • Hi @netblues
    Thanks for helping

    I have made two NATs on the FW

    NAT Rule 1) on WAN interface: WAN IP1 to 10.46 .127.10/24 for RDP
    NAT Rule 2) on WAN interface: WAN IP2 to 10.45 .127.10/26 for RDP

    NAT Rule 1 works
    NAT Rule 2 do not work as I cannot get the NAT traffic to go down the OpenVPN tunnel.

    I will gladly make a drawing but how do I uploaded it to this forum?

    Pub_IP1\ /LAN

                WAN  FW1
    

    Pub_IP2/ \S2S_VPN <-> FW2 <->TS

    Both FW1 and FW2 are pfsense 2.4.4p3
    S2S_VPN is a PreShared with
    FW1_S2Svpn: ip![alt text](image url) 172.31.254.1/24
    FW2: S2Svpn: ip 172.31.254.2/24

    Regards
    Henning![alt text](image url)![alt text](image url)![alt text](image url)![alt text](image url)![alt text](image url)![alt text](![image url](image url))


  • LAYER 8 Netgate

    If you are trying to port forward in from WAN across OpenVPN to a host there you must:

    1. Assign an interface to the OpenVPN instance on the target server side
    2. Be sure that the incoming connection there is NOT passed by a rule on the OpenVPN tab but IS passed by a rule on the assigned interface tab. This will get you reply-to there and the reply traffic will be routed back through the tunnel.

Log in to reply