Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Foward all public IP traffic to a remote server via IPsec

    IPsec
    2
    2
    85
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      AceStrider1 last edited by

      Network Diagram

      Hi All,
      I have the above rather unconventional setup. I have an IPsec tunnel between an SG-5100 and a pfSense Instance on AWS.
      The machines on the LANs 10.10.10.0/24 and 10.10.20.0/24 can see the machines behind the AWS pfSense Instance on the 10.30.10.0/24 LAN and vice versa.
      I also have a public IP Alias (64.64.64.25) on the SG-5100 WAN Network. I would like to redirect all traffic going into this IP address to a machine (10.30.10.31) behind the AWS instance.

      I have tried a couple of things but have been unsuccessful. I would really appreciate some suggestions on how best to go about this.

      Thanks,
      Adan

      K 1 Reply Last reply Reply Quote 0
      • K
        Konstanti @AceStrider1 last edited by Konstanti

        @AceStrider1 said in Foward all public IP traffic to a remote server via IPsec:

        10.30.10.31

        Hello
        To solve this problem, I would recommend that you use a routed connection type.
        For example, OpenVpn, GRE over IPSEC or VTI.
        Then it will be possible to redirect all traffic coming on 64.64.64.26 to the server 10.30.10.31.
        It is necessary to use NAT OUTBOUND on the tunnel interface because otherwise the traffic from 10.30.10.31 will return through 32.32.32.32.
        This is a feature of the PF implementation ( the reply-to function does not work on virtual interfaces)

        Here is an example of traffic forwarding and using outgoing NAT ( Linux Iptables)
        through a GRE tunnel.
        37.XXX.YYY.ZZZ = 64.64.64.25
        192.168.1.230 = 10.30.10.31
        10.10.100.2 = internal ip address of the GRE interface.
        prerouting = port forwarding
        postrouting = NAT OUTBOUND

        *nat
        :PREROUTING ACCEPT [0:0]
        -A PREROUTING -d 37.XXX.YYY.ZZZ -p tcp -m multiport --destination-port 25,465,587,993 -j DNAT --to-destination 192.168.1.230
        :POSTROUTING ACCEPT [0:0]
        :OUTPUT ACCEPT [0:0]
        -A POSTROUTING -o tun100 -p tcp -m multiport --destination-port 25,465,587,993 -d 192.168.1.230 -j SNAT --to-source 10.10.100.2
        
        1 Reply Last reply Reply Quote 0
        • First post
          Last post