Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense behind ISP NAT

    Scheduled Pinned Locked Moved
    NAT
    2
    4
    537
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      AMartinelli
      last edited by

      Hi,
      I've started using pfSense only recently, and I had to install it for a customer whose factory network had no public IPv4 address (the network was behind the ISP NAT).

      On the pfSense I've configured a VPN that I access from OpenVPN Client. Using such client, I can successfully establish a VPN connection from the same network by specifying the pfSense WAN address.

      If instead I try to connect from remote, specifying as IP address the one given by whatsmypublicipaddress or similar, I'm not able to establish the VPN connection (timeout).

      Once the customer factory network was assigned a static public IP address from the ISP, I was able to establish the VPN again.

      Now, since I could bump into customers with no possibility of having a public IP address, is there a way of establishing a VPN in such circumstances? do I need an external server as relay? could you please indicate me the way?

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @AMartinelli
        last edited by

        @amartinelli
        Without a public IP you can only make outbound connections.
        For running any sort of server and establish connection to it from the internet you need a public IP.

        So if you need access to the customers network for maintenance you can run a VPN client at the customers firewall wall making a connection to your VPN server, which must have a public IP.

        A 1 Reply Last reply Reply Quote 1
        • A
          AMartinelli @viragomann
          last edited by AMartinelli

          @viragomann thank you very much for your answer.

          So if you need access to the customers network for maintenance you can run a VPN client at the customers firewall wall making a connection to your VPN server, which must have a public IP.

          Yes, that's what I need. Do you know of some doc I could use to study how to implement this firewall-initiated way to establish a VPN? (for firewall I suppose you mean the device running pfSense, right?)
          I've found this post but it only addresses how to connect the pfSense to a commercial VPN provider, but I don't know what to do next to reach the setup I need.

          Basically, I'm trying to do what other firewall services already do: Secomea e.g. provides a device that connect automatically from the customer factory to Secomea cloud Server. Once this step is done, our technician can connect to Secomea server and, by means of it, establish a VPN towards the Secomea located in the customer factory. This way we can connect to Secomea even if it is behind an ISP NAT.

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @AMartinelli
            last edited by

            @amartinelli
            Yes, best practice for a VPN with the purpose of maintain a remote network is to establish a site-to-site VPN on pfSense. This gives you access to pfSense itself and to devices behind it as well.

            In your Secomea example the device connects to their server, which acts as a relay then.
            You can do the same with your own VPN server. But this requires that your server has a public IP naturally.

            The setup of a site-to-site OpenVPN is well described in the pfSense docs: OpenVPN Site-to-Site Configuration Example with SSL/TLS.

            Or you can also setup a Wireguard with pre-shared keys: WireGuard.

            1 Reply Last reply Reply Quote 1
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.