Foward all public IP traffic to a remote server via IPsec



  • Network Diagram

    Hi All,
    I have the above rather unconventional setup. I have an IPsec tunnel between an SG-5100 and a pfSense Instance on AWS.
    The machines on the LANs 10.10.10.0/24 and 10.10.20.0/24 can see the machines behind the AWS pfSense Instance on the 10.30.10.0/24 LAN and vice versa.
    I also have a public IP Alias (64.64.64.25) on the SG-5100 WAN Network. I would like to redirect all traffic going into this IP address to a machine (10.30.10.31) behind the AWS instance.

    I have tried a couple of things but have been unsuccessful. I would really appreciate some suggestions on how best to go about this.

    Thanks,
    Adan



  • @AceStrider1 said in Foward all public IP traffic to a remote server via IPsec:

    10.30.10.31

    Hello
    To solve this problem, I would recommend that you use a routed connection type.
    For example, OpenVpn, GRE over IPSEC or VTI.
    Then it will be possible to redirect all traffic coming on 64.64.64.26 to the server 10.30.10.31.
    It is necessary to use NAT OUTBOUND on the tunnel interface because otherwise the traffic from 10.30.10.31 will return through 32.32.32.32.
    This is a feature of the PF implementation ( the reply-to function does not work on virtual interfaces)

    Here is an example of traffic forwarding and using outgoing NAT ( Linux Iptables)
    through a GRE tunnel.
    37.XXX.YYY.ZZZ = 64.64.64.25
    192.168.1.230 = 10.30.10.31
    10.10.100.2 = internal ip address of the GRE interface.
    prerouting = port forwarding
    postrouting = NAT OUTBOUND

    *nat
    :PREROUTING ACCEPT [0:0]
    -A PREROUTING -d 37.XXX.YYY.ZZZ -p tcp -m multiport --destination-port 25,465,587,993 -j DNAT --to-destination 192.168.1.230
    :POSTROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -A POSTROUTING -o tun100 -p tcp -m multiport --destination-port 25,465,587,993 -d 192.168.1.230 -j SNAT --to-source 10.10.100.2
    

Log in to reply