Foward all public IP traffic to a remote server via IPsec

  • Network Diagram

    Hi All,
    I have the above rather unconventional setup. I have an IPsec tunnel between an SG-5100 and a pfSense Instance on AWS.
    The machines on the LANs and can see the machines behind the AWS pfSense Instance on the LAN and vice versa.
    I also have a public IP Alias ( on the SG-5100 WAN Network. I would like to redirect all traffic going into this IP address to a machine ( behind the AWS instance.

    I have tried a couple of things but have been unsuccessful. I would really appreciate some suggestions on how best to go about this.


  • @AceStrider1 said in Foward all public IP traffic to a remote server via IPsec:

    To solve this problem, I would recommend that you use a routed connection type.
    For example, OpenVpn, GRE over IPSEC or VTI.
    Then it will be possible to redirect all traffic coming on to the server
    It is necessary to use NAT OUTBOUND on the tunnel interface because otherwise the traffic from will return through
    This is a feature of the PF implementation ( the reply-to function does not work on virtual interfaces)

    Here is an example of traffic forwarding and using outgoing NAT ( Linux Iptables)
    through a GRE tunnel.
    37.XXX.YYY.ZZZ = = = internal ip address of the GRE interface.
    prerouting = port forwarding
    postrouting = NAT OUTBOUND

    -A PREROUTING -d 37.XXX.YYY.ZZZ -p tcp -m multiport --destination-port 25,465,587,993 -j DNAT --to-destination
    :OUTPUT ACCEPT [0:0]
    -A POSTROUTING -o tun100 -p tcp -m multiport --destination-port 25,465,587,993 -d -j SNAT --to-source

Log in to reply