IPSec DNAT not working
-
@viragomann also TCP:SA packets blocked by same rule.
We have TCP IPv4 allowed in both directions, so why would it be blocked...
-
@Matt_Sharpe
Obviously pfSense has no proper state for the response. Search for it in Diagnostic > States.Is the RDP server on a remote site or is local?
How do we create interface groups?
Interfaces > Interface GroupsI assume, you won't use a group rule for this case?
-
@viragomann The RDP server (the target of the NAT rule) is in the same site as the PFsense we're applying it on.
No, not used for this case. Just curious for future use.
-
@Matt_Sharpe said in IPSec DNAT not working:
The RDP server (the target of the NAT rule) is in the same site as the PFsense we're applying it on.
Then I'm wondering, why a respond packet from the RDP server is shown up as entering IPSec.
So I'm out of ideas, what could be the reason for this blocks.
But you can probably circumvent it with a sloppy state rule (I don't like this):
action: pass
interface: IPSec
source: RDP server
source port RDP
destination: remote network
destination port: any
open the Advanced Options
at State type select SloppyI don't like it, but it should work.
-
@viragomann is that a NAT or FW rule?
-
@Matt_Sharpe
A firewall rule. A NAT rule ever needs a target... -
@viragomann I have created an isolated lab for this. Slightly different ranges.
Source site = 172.16.43.0/24
Target site = 172.16.200.0/24
Isolated network on target side = 172.16.210.0/24IPSEC Interface
FW rules any/any on IPV4.
Also enabled sloppy mode.
No joy.
I was tinkering with Outbound NAT rules for the interfaces to be able to route between each other which led to different results on a picture capture. Not sure if any specific outbound NAT would be required here:
