Port forward through site-to-site VPN
I'm trying to solve a problem on my setup, and kindly ask your help.
This is the scenario.
- Internet connection via 4G/LTE provider, with natted connection
- pfSense firewall
- 172.20.0.0/25 LAN subnet
- NAS server (172.20.0.10)
- Internet connection via fiber provider, with static and public IP address
- pfSense firewall downstream to providers router (172.16.0.2 WAN IP and 172.16.0.1 WAN gateway)
- 172.30.0.0/25 LAN subnet
I've an IPsec tunnel between the two sites, initiated always by Site 1 (because of the dynamic and natted IP).
The tunnel uses vti mode and a static route on both sides.
172.19.250.1 tunnel IP for Site 1
172.19.250.2 tunnel IP for Site 2
With this setup I'm able access correctly resources on both sites from either sites, and also via OpenVPN connection (I connect from internet to Site 2, and I'm able to reach also Site 1).
Now I need to access directly a resource on Site 1 (a port of the NAS) from the internet, using the public IP of Site 2.
So, I've created a NAT rule on Site 2 to forward the needed port to the private IP of the NAS on Site 1.
I've also created an Outbound NAT to masquerade the public IP of the source from the internet, to prevent that Site 1 replies directly via internet, instead from the VPN tunnel and Site 2 IP.
The setup seems to work and the NAS in Site 1 receives the connection (from the right IP), but the response did not leave the firewall on Site 1.
No blocked connection are listed in the firewall logs, and this is the States view from both sides (Site 1 on left and Site 2 on right).
This is the port forward rule:
And this is the outbound NAT rule:
Do you have any suggestions?
I've missed something?
Thanks in advance!
After many many tries, readings, etc....I've solved by switching to an OpenVPN Site-to-site tunnel
I have the same issue on my setup but in my case Site 2 does receive the return traffic, it just doesn't translate the destination IP of the return traffic back to the original source IP (the public IP) so the return traffic stops at the Site 2 IPsec interface. I switched from OpenVPN to IPsec because I needed the speed bump so OpenVPN is not a solution for me. Any workarounds to this?
@kevindd992002 I've switched to OpenVPN because it seems to be no solution other than routing all the traffic through the VPN tunnel :(