One side pfsense behind NAT 1:1 and another as peer

  • In one side i have pfsense behind another firewall (A) with NAT 1:1, and in the other side have pfsense (B) with public ip.
    I established phase 1 tunnel sucefful configuring side "A" with peer identifier (With the WAN of pfsense wich is on the LAN of above firewall).
    How can i establish connection on phase 2 setting my local network (but its not the LAN of pfsense, are the LAN of the firewall above pfsense, who has connection to the internet and make the NAT 1:1 to pfsense)

    What i pretend to do is use pfsense (with NAT 1:1) A as VPN Server to make peer to peer conection with other 2 pfsense i have. And present my lan's (which is on firewall above) in this tunnel.

  • @joao-borges Are we talking about ipsec?
    port 500 forwarding is tricky and has to use static port.
    Does the other firewall offer such feature?
    How about switching to openvpn which does better in such situations?

  • Yes i tried with open vpn, but i cant route the LAN's of above firewall through the tunnel to side B.
    There is a a way to do that with openvpn?

  • @joao-borges Did you have openvpn established? Can you ping each other pf via tunnel?
    If yes, allowing lans via openvpn (the equivalent of "protect" in ipsec) is the final step in openvpn config.
    Obviously openvpn does that.

  • Yes man, I have OpenVPN established. But I don't think it was clear enough
    My pfsense "A" has ip WAN = LAN from the above firewall, who is responsible for routing the packets to internet, what I want is to close a tunnel to side B to be able to communicate transparently with pfsense's WAN net ( without the openVPN tunnel ip), so I will use pfsense only to set the tunnel and the main firewall as the edge

  • So I guess you need to nat everything coming from pfsense B at the wan of pfsense A.
    The other way would be to route, but this would need static routes from the main firewall at the edge pointing at the pfsense A wan ip.
    Assuming that pfsense B is the client, you should be able to ping the Lan interface of pfA from any ip from Lan of pfsenseB
    All stations in lanB must have pfb either as Default gateway, or have routes for required networks in pfsense A
    Not that difficult.
    Try drawing a diagram , it would help.

  • ![alt text](DIAGRAMA_PFSENSE_VPN.png image url)

    This would be an example of the network diagram I want to get to. So PFSENSE A would be the vpn server, where I would close the VPN tunnel with PFSENSE B, so I have to present the FIREWALL A networks in this tunnel.
    The idea is to make the PFSENSE B lan get the FIREWALL A DMZ with the network ips and not the tunnel ips so that I can handle the requests in FIRWALL A and use PFSENSE A only as a server. VPN.
    It is possible?

    In FIREALL A I created a 1: 1 NAT rule so that PFSENSE A has a public ip, I used this public IP to close the VPN with PFSENSE B

  • Someone? =/

Log in to reply