Port forward through site-to-site VPN



  • Hi!

    I'm trying to solve a problem on my setup, and kindly ask your help.

    This is the scenario.

    Site 1

    • Internet connection via 4G/LTE provider, with natted connection
    • pfSense firewall
    • 172.20.0.0/25 LAN subnet
    • NAS server (172.20.0.10)

    Site 2

    • Internet connection via fiber provider, with static and public IP address
    • pfSense firewall downstream to providers router (172.16.0.2 WAN IP and 172.16.0.1 WAN gateway)
    • 172.30.0.0/25 LAN subnet

    IPsec VPN

    I've an IPsec tunnel between the two sites, initiated always by Site 1 (because of the dynamic and natted IP).
    The tunnel uses vti mode and a static route on both sides.
    172.19.250.1 tunnel IP for Site 1
    172.19.250.2 tunnel IP for Site 2

    With this setup I'm able access correctly resources on both sites from either sites, and also via OpenVPN connection (I connect from internet to Site 2, and I'm able to reach also Site 1).

    Now I need to access directly a resource on Site 1 (a port of the NAS) from the internet, using the public IP of Site 2.

    So, I've created a NAT rule on Site 2 to forward the needed port to the private IP of the NAS on Site 1.
    I've also created an Outbound NAT to masquerade the public IP of the source from the internet, to prevent that Site 1 replies directly via internet, instead from the VPN tunnel and Site 2 IP.

    The setup seems to work and the NAS in Site 1 receives the connection (from the right IP), but the response did not leave the firewall on Site 1.

    No blocked connection are listed in the firewall logs, and this is the States view from both sides (Site 1 on left and Site 2 on right).

    Screenshot 2020-09-24 at 11.42.03.png

    This is the port forward rule:
    Screenshot 2020-09-30 at 18.30.13.png

    And this is the outbound NAT rule:
    Screenshot 2020-09-30 at 18.30.30.png

    Do you have any suggestions?
    I've missed something?

    Thanks in advance!

    Edoardo



  • After many many tries, readings, etc....I've solved by switching to an OpenVPN Site-to-site tunnel 👍


Log in to reply