NAT/BINAT



  • Hello,

    We have a server ("Target") connected to our pfSense using a dedicated network, separated from the LAN.

    We can access to this server trought Internet by using rules on pfSense (with HTTP or HTTPS for example).

    There is an another server ("Source") connected using IPSec VPN to pfSense, and accessing our LAN.

    We like to be able to access the "Target" server from "Source" server trought the VPN, so we are thinking using NAT/BINAT between a dedicated IP address of our LAN and the "Target" server.

    But we didn't understand which kind of rules we need to create to realize this. This is the first time we plan to use NAT/BINAT.

    There's a schema of what I said:

    alt text

    Can somebody explain to us how NAT/BINAT works and how to use it on rules ?

    Thanks

    Regards,



  • You keep using the word BINAT, I do not think you know what this means. What does 'other network' mean- is this a directly connected OPT interface off of pfSense? Is it reached via a router? If you can reach target through pfSense from the Internet (port-forward?), you should be able to specify the IPSec phase 2 from 'source' as the network where 'target' lives. This is all conjecture- if you want help, you will need to provide more detailed information.



  • Hi,

    The other network is a separated network, provided by our datacenter host. It is connected to the PfSense on a interface.

    The target and the PfSense have their own IP adress on this network.

    We finally saw that port forward for packets coming from WAN is not working. We see packets going threw on logs, but not reaching the target.

    It seems that PfSense is in trouble with the routing on this "other network".

    And the weird thing is that we can access without any problem to the target by an openvpn connection.

    Regards



  • Is the target using a device other that pfSense as it's default gateway?



  • Yes but routes exists to send packet on the good network.

    pfSense is able to ping the target and the target can ping pfSense.

    Thanks



  • If your target has a different default gateway, that makes things messy. Any response traffic beyond local subnets (e.g. from the internet) is going to go it's default gateway, not pfSense. So port-forwards are not going to work. You would need to NAT the Internet traffic so the source appears to be from the locally connected Interface. It should be possible with custom NAT rules, but personally, I haven't tried to do that. If I controlled the target machine, I would change it's default gateway to pfSense.



  • @dotdash said in NAT/BINAT:

    NAT the Internet traffic so the source appears to be from the locally connected Interface

    Thank you, seems to be a good idea
    Are you able to describe the steps to do that ?

    If it doesn't work we will try to change the default gateway, but we're not sure if it is possible.



  • I think I found the solution !
    In the outbound NAT.
    I'll check.


Log in to reply