NAT: port forward over Routed IPSEC (VTI)
-
Hello
In location A we have a PFSENSE with VIrtual IP (alias) with routed VTI to location B (PFSENSE to). In location B we have subnet (vlan'ed) where we have server with some services.
We want to have 2 things. That we can port forward (not 1:1) to location B server (to some service).
Second thing is to server in location B use virtual IP alias in location A as default out route (and this is workinng throu this VTI - only write this to complete information).Yes tried port forward, and it isn't working.
I've checked IP alias by setting port forward to server in location A, and it is working - so alias is working.I don't know where to dig.
Many thanks
Eustachy -
Unfortunately that can't work over IPsec VTI because that behavior requires
reply-to
to direct replies back to their source. That doesn't work with IPsec VTI interfaces in FreeBSD yet. -
Very thanks for the reply.
Is there any other configuration of IPSEC (or any other supported by PFSENSE) to accomplish this configuration? -
It works fine in OpenVPN with the interfaces assigned (search around for more info there).
It can work with tunnel mode IPsec if, and only if, you send all traffic over IPsec from the port forward target side (meaning its remote IPsec P2 subnet is
0.0.0.0/0
) which isn't necessarily desirable or convenient... -
I cannot send all trafic (I have multiple IPSEC tunnels for clients).
I will play arround this OpenVPN -
@jimp said in NAT: port forward over Routed IPSEC (VTI):
It works fine in OpenVPN with the interfaces assigned (search around for more info there).
Ok, I have installed OpenVPN in site to site config.
In location A I've setup OpenVPN Server with interface assigment for this tunnel. in firewall rule (with this port forward nat rule) I've set up GW OpenVPN.
Setup location B for OpenVPN client.
Tunnel works, but with the same problem - cannot port forward to serwer behind the tunnel. -
Make sure you only have firewall rules on the assigned OpenVPN interface tab -- not on the actual "OpenVPN" tab, or at least adjust the rules on that group tab so they can't match.
-
@jimp said in NAT: port forward over Routed IPSEC (VTI):
Make sure you only have firewall rules on the assigned OpenVPN interface tab -- not on the actual "OpenVPN" tab, or at least adjust the rules on that group tab so they can't match.
It Was Obvious, but I didn't set up it. :)
I was double check all firewall settings, and You have right! Now it works.
Many, many, maaaaannnnnyyy Thank You :)PS> I will disable all config, and try the same config with routed VTI and this setup:
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/accessing-firewall-services-over-ipsec-vpns.html -
@eustachy said in NAT: port forward over Routed IPSEC (VTI):
PS> I will disable all config, and try the same config with routed VTI and this setup:
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/accessing-firewall-services-over-ipsec-vpns.htmlHi!
I'm facing a similar problem on my setup (described here: https://forum.netgate.com/topic/157265/port-forward-through-site-to-site-vpn ).I would like to know if you finally succeeded in passing a port forward via IPsec routed VTI and, in case, if you could share your configuration.
Thanks in advance,
Edoardo