Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    source IP for file share access over IPSEC tunnel for site to site VPN

    Scheduled Pinned Locked Moved NAT
    4 Posts 2 Posters 381 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      VasilyK
      last edited by

      Hi All,

      we do have site to site IP sec VPN tunnel using pfsense appliance on Amazon aws with remote site.

      Instance has got multiple interfaces.

      Primary WAN is using private ip 10.10.20.100 on amazon, Internal interface 10.10.20.200.

      Remote client needs to access file share which is on one of internal subnets. File share is using 10.50.10.100

      We are accessing file share over IP address 10.10.20.200, but when traffic comes back to the client source ip is 10.50.10.100 and firewall does not allow that. Is there a way to change source IP on the way back to use the same source IP 10.10.20.200 when it goes back to IP sec tunnel?

      Many thanks,
      Vs.

      1 Reply Last reply Reply Quote 0
      • V
        VasilyK
        last edited by

        what I am trying to archive is something similar to windows command:

        netsh interface portproxy add v4tov4 listenport=139 listenaddress=10.10.20.200 connectport=139 connectaddress=10.50.10.100

        netsh interface portproxy add v4tov4 listenport=445 listenaddress=10.10.20.200 connectport=445 connectaddress=10.50.10.100

        At this case traffic is coming back with correct source IP.

        1 Reply Last reply Reply Quote 0
        • GrimetonG
          Grimeton
          last edited by

          As I've written half an hour ago in another reply:

          pf in FreeBSD has a bug that doesn't allow NAT after IPsec. So whatever you do, you have to do it on the INCOMING interface at the other end. You cannot do it on the outgoing interface of the other end or the incoming one on your end.

          I don't know if this has been fixed yet, but by the looks of all the questions in here it seems like it's still there.

          1 Reply Last reply Reply Quote 1
          • V
            VasilyK
            last edited by

            Thanks for you update.

            I have implemented it by using proxy Linux instance which is doing port forwarding.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.