source IP for file share access over IPSEC tunnel for site to site VPN



  • Hi All,

    we do have site to site IP sec VPN tunnel using pfsense appliance on Amazon aws with remote site.

    Instance has got multiple interfaces.

    Primary WAN is using private ip 10.10.20.100 on amazon, Internal interface 10.10.20.200.

    Remote client needs to access file share which is on one of internal subnets. File share is using 10.50.10.100

    We are accessing file share over IP address 10.10.20.200, but when traffic comes back to the client source ip is 10.50.10.100 and firewall does not allow that. Is there a way to change source IP on the way back to use the same source IP 10.10.20.200 when it goes back to IP sec tunnel?

    Many thanks,
    Vs.



  • what I am trying to archive is something similar to windows command:

    netsh interface portproxy add v4tov4 listenport=139 listenaddress=10.10.20.200 connectport=139 connectaddress=10.50.10.100

    netsh interface portproxy add v4tov4 listenport=445 listenaddress=10.10.20.200 connectport=445 connectaddress=10.50.10.100

    At this case traffic is coming back with correct source IP.



  • As I've written half an hour ago in another reply:

    pf in FreeBSD has a bug that doesn't allow NAT after IPsec. So whatever you do, you have to do it on the INCOMING interface at the other end. You cannot do it on the outgoing interface of the other end or the incoming one on your end.

    I don't know if this has been fixed yet, but by the looks of all the questions in here it seems like it's still there.



  • Thanks for you update.

    I have implemented it by using proxy Linux instance which is doing port forwarding.


Log in to reply