Public IP pass thru to vpn client
-
Is it possible to have VPN server forward public IP to vpn clients to one device and all traffic goes thru without NAT?
-
@cougarmaster
This requires special functions on the client. So it depends on the client.
If it's a pfSense and it is the default gateway in its LAN it would be doable by obeying some requirements. -
@viragomann Possible to direct me to how it is possible to do or read up on?
-
@cougarmaster
Say the server site is A, the client is B.
At site A you set up a port forwarding as usual.Site B:
It doesn't work with pfSense CE 2.5.1. If you're still on this version, upgrade before you go on.Remove all firewall rules from the OpenVPN tab. If you need them for other purposes, come back to find another solution.
Assign an interface to the OpenVPN instance (Interfaces > Assginments) if you didn't this already.
At available network port select the OpenVPN instance, e.g. ovpnc1, click Add, open the interface settings, enable it at set a proper name.Now you got a new pass rule tab for the VPN. Add a rule to it which allow the incoming traffic from the remote site (source = any).
Ensure that there is also no floating rule applied to the forwarded traffic from the remote site.
Should work then. -
@viragomann So this will allow the client to use the server A public IP as its own?
-
@cougarmaster
I would say, you can access a device at the client site by using the servers public IP with this. -
@viragomann Understood and thanks for helping. So basically the device won't be able to register the Server A public IP as its own correct?
-
@cougarmaster
Do you mean for outgoing connections?
If you want this you have to policy route the outbound traffic from the device at B to the server site.Additionally at A you have to add an outbound NAT rule to WAN for the device's IP. Also remember to switch to hybrid mode.
-
@viragomann Simply put it's like having 1:1 ip mapping locally but now want Public IP from remote site mapped to device.
-
@cougarmaster
No, policy routing is done with firewall rules.At the client site add an alias of type network, call it RFC1918 and add all RFC1918 networks to it (search at Wikipedia if you're unsure about the network).
Then add a firewall pass rule to the LAN interface where your device is connected to:
source: device IP
destination: check invert, select single IP or alias and enter RFC1918.
Open the advanced options and at the gateway drop-down select the VPN gateway.
Edit: You have to move this rule to the top of the rule set, to ensure that it is applied.Don't forget the outbound NAT rule at the server.
-
@viragomann Ok thanks for the help I will try it out. Really appreciate all this info.