(IPsec outbound NAT to interface address) Reply traffic destination IP not being translated back to original source IP

kevindd992002

@stephenw10 said in (IPsec outbound NAT to interface address) Reply traffic destination IP not being translated back to original source IP:

Ah, sorry I missed you were using VTI here. You still can't do it by default as you found.

Yeah, I'm not using the traditional policy-based IPsec. I'm using routed VTI. I thought that's what you meant by "route based" IPsec in your earlier reply? Aren't those one and the same?

You can do outbound NAT from the tunnel subnet or from subnet routed over it. You can port forward to IPs a remopte subnet. You can't do it on the tunnel interfaces because the filtering does not parse traffic equally.

Sorry, what do you mean? Yes, I do have a port forward to a remote subnet like so:

When your documentation said that outbound NAT to interface address in the tunnel interface works, what does it mean? I mean, it does work like I showed, it does translate the original source IP to the tunnel interface address, but the problem is the return traffic doesn't get handled properly.

If you only have route based IPSec you could try setting those sysctls. They can be applied via System Tunables ion the GUI. It will break filtering for policy based tunnels though.

Steve

I already did try setting those and it breaks the normal site-to-site routing as I explained here. And yes, that workaround would've been perfect for me because I do not use policy based tunnels so no issues in that. But I can't make it work. With the workaround in place, I can't even do normal pings from any device on either either site to any device on either site.

kevindd992002

Most of the port forward and outbound NAT rules that I have are posted here:

https://forum.netgate.com/post/953857

kevindd992002

@stephenw10 Do you have any more ideas regarding this?

stephenw10

Yes, route-based IPSec is VTI,

No, you can't outbound NAT on a VTI interface because, as you found, the reply traffic will not be translated back.

You should use OpenVPN for this if you need to configure it as you have now.

Steve

kevindd992002

@stephenw10 said in (IPsec outbound NAT to interface address) Reply traffic destination IP not being translated back to original source IP:

Yes, route-based IPSec is VTI,

No, you can't outbound NAT on a VTI interface because, as you found, the reply traffic will not be translated back.

You should use OpenVPN for this if you need to configure it as you have now.

Steve

I actually was using OpenVPN without any issues except for the fact that I upgraded my ISP subscription to 100Mbps and OpenVPN cannot saturate that bandwidth as my APU2C4 does not a powerful single-core performance. This is where IPsec comes in as it does saturate the whole 100Mbps between the two sites.

So my question now is, why do those sysctl workarounds not work for me? They would've been perfect because I'm not using policy-based IPsec.

stephenw10

Unclear. Check the firewall states that are created in each case at each end. Something is still mismatched I would suggest. Or not creating a state at all which should then show as blocked unless you have disabled logging default blocks or added your own block rule without logging.

kevindd992002

@stephenw10 said in (IPsec outbound NAT to interface address) Reply traffic destination IP not being translated back to original source IP:

Unclear. Check the firewall states that are created in each case at each end. Something is still mismatched I would suggest. Or not creating a state at all which should then show as blocked unless you have disabled logging default blocks or added your own block rule without logging.

Ok, I will check the firewall states and report back tomorrow (alreqdy midnight from where I am). I did not disable logging default blockd and did not add any block rule without logging so I should see the logs you're expecting.

But just to be clear though, the sysctl workarounds that I'm referring are the correct workarounds for what I'm trying to solve, yes?

stephenw10

There is no 'correct' workaround here. This might work for you, it appears to have worked for others. It might break at upgrade etc, it's not something we test as NAT on VTI is expected to fail.

By moving the filtering from enc to if_ipsec it should mean traffic is passed outbound on ipsecX and replies are also passed there. No states on enc0.

Using OpenVPN here is the only thing expected to work.

Steve

kevindd992002

@stephenw10 said in (IPsec outbound NAT to interface address) Reply traffic destination IP not being translated back to original source IP:

There is no 'correct' workaround here. This might work for you, it appears to have worked for others. It might break at upgrade etc, it's not something we test as NAT on VTI is expected to fail.

By moving the filtering from enc to if_ipsec it should mean traffic is passed outbound on ipsecX and replies are also passed there. No states on enc0.

Using OpenVPN here is the only thing expected to work.

Steve

Since Wireguard is now available in pfsense 2.5, will it solve my issue with NAT over VPN?

stephenw10

Yes, if you can use WireGuard you can happily route, NAT or whatever across it.

jimp

If you only have VTI IPsec (no tunnel mode P2 entries) you can also try the patch on https://redmine.pfsense.org/issues/11395 and switch the new option over to filter only on VTI interfaces. Then you can use NAT and rules on assigned VTI interfaces.

kevindd992002

@stephenw10 said in (IPsec outbound NAT to interface address) Reply traffic destination IP not being translated back to original source IP:

Yes, if you can use WireGuard you can happily route, NAT or whatever across it.

@jimp said in (IPsec outbound NAT to interface address) Reply traffic destination IP not being translated back to original source IP:

If you only have VTI IPsec (no tunnel mode P2 entries) you can also try the patch on https://redmine.pfsense.org/issues/11395 and switch the new option over to filter only on VTI interfaces. Then you can use NAT and rules on assigned VTI interfaces.

This is great! WireGuard as a solution and a patch with IPsec!

Is WireGuard a lot better than IPsec though? Is it recommended to switch over if I'll just need to use it for a single S2S connection?

stephenw10

Wireguard is perhaps slightly more flexible that IPSec if both sides support it. That's big if!
IPSec is pretty much universally supported.
You probably won't see much difference in speed. IPSec can be at least as fast.

I would probably use Wireguard here because to use IPSec you will need to use that patch and doing so will prevent you using other IPSec tunnel mode connections. If you know you will never need to do that then either should be OK.

Steve

kevindd992002

@stephenw10 said in (IPsec outbound NAT to interface address) Reply traffic destination IP not being translated back to original source IP:

Wireguard is perhaps slightly more flexible that IPSec if both sides support it. That's big if!
IPSec is pretty much universally supported.
You probably won't see much difference in speed. IPSec can be at least as fast.

I would probably use Wireguard here because to use IPSec you will need to use that patch and doing so will prevent you using other IPSec tunnel mode connections. If you know you will never need to do that then either should be OK.

Steve

I agree. Ok, time to try WireGuard. This is the first tutorial that's been published by a Youtuber since the release of 2.5. He admits that he is not a WireGuard expert and is open to corrections of his mistakes (if there are any).

Youtube Video

I hope you guys can have an official documentation about WireGuard very soon.

stephenw10

Yeah, that looks good. I see nothing obviously wrong with that walk-through.

Steve

kevindd992002

@stephenw10 said in (IPsec outbound NAT to interface address) Reply traffic destination IP not being translated back to original source IP:

Yeah, that looks good. I see nothing obviously wrong with that walk-through.

Steve

Great! I have a few concerns though:

1. In the Peer setup, shouldn't the "Peer WireGuard Address" be just a single IP (tunnel interface of the far side peer), instead of the IP in CIDR notation that he did on the video?

2. When he created the WAN rule for 51820, he noted that he made a mistake about putting 52180 but it still works. Any idea why? Also, why is this WAN rule not automatically defined (but hidden) just like in IPSec? I know in OpenVPN, the explicit WAN rule is also required.

3. In my use case where I have one side with a static public IP (Main Site) and another side that is behind a CGNAT (so a private IP is assigned on my WAN interace; Remote Site), would it make sense to keep the "Endpoint Address" BLANK on the Main Site peer settings so that it will accept any remote IP AND will not initiate the connection?

stephenw10

The peer IP address is not actually required for WireGuard it routes internally using the allowed IPs vs the peer public keys.
Adding that there adds routes in pfSense automatically. It's a single IP address inside that subnet, I would not expect that to make any difference.

You only actually need a firewall rule on one end to establish the tunnel. The reply traffic then uses that state so traffic goes both ways. It's better to have the rule correct at both ends though so the tunnels can establish from either end.
There are no hidden auto-rules like there are for IPSec. It's like OpenVPN in that regard. It would be better (IMO!) to have IPSec like that too but it would be a POLA violation to change that now.

Yes, with one end behind NAT you can only establish outbound from there and the public IP address may change so I would leave it blank on the opposite end.

Steve

kevindd992002

@stephenw10

Ok, so are you saying that if I put the far end tunnel interface address in the Peer IP Address field but not in the Allowed IP's list (like how it was done it that video), it won't add a route for that tunnel interface address? If so, what is the use the case of the Peer IP Address field if it won't be used anyway?

stephenw10

If you add the peer IP address pfSense will add it as a gateway and you can use it for policy routing or static routes etc. You can do that manually but the scripts try to make it easier. More like OpenVPN behaves.

Steve

kevindd992002

Ok, that makes sense. Then I would need that for my use case because I definitely will use the tunnel interface as gateways for routing.

Is it mandatory to put the the tunnel interface address in the allowed IP's though?