• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

NAT for IPsec Host

Scheduled Pinned Locked Moved NAT
15 Posts 2 Posters 867 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    jacksongrow
    last edited by Apr 19, 2023, 7:38 PM

    Below is the diagram of what we're trying to achieve.

    A 3rd party vendor has a database we need to access, but the only way to connect to it is through an IPsec connection. This works fine for our clients on the VPN and the NAT/BINAT Translation works fine with the Mobile IPsec setup, but I'm struggling to understand how we can port forward 1433 to our vendor's database. We need this so our database (which is in Azure) can query the vendor's database, without having any IPsec connection to the vendor.

    I tried a couple NAT rules, but it doesn't seem to work properly. Using pftop, the traffic is not getting routed through the IPsec tunnel.

    f42cbb22-e194-4d03-8c33-35d0d5d33eae-image.png

    V 1 Reply Last reply Apr 19, 2023, 8:32 PM Reply Quote 0
    • V
      viragomann @jacksongrow
      last edited by Apr 19, 2023, 8:32 PM

      @jacksongrow
      A bit few details provided.

      Is your pfSense on Azure as well?
      How are they connected? Which subnet, IPs?

      "Local" and "remote" settings are related to the endpoint. So which site is that?

      On your app server there is a client who needs to connect to the remote database, if I got you correctly?

      J 1 Reply Last reply Apr 19, 2023, 8:50 PM Reply Quote 1
      • J
        jacksongrow @viragomann
        last edited by Apr 19, 2023, 8:50 PM

        @viragomann

        Yes, the pfsense is in Azure

        pfsense is using a subnet of 10.11.16.0/24

        The local and remote is what's configured on the PH2 side of the IPsec tunnel. I should've clarified that.

        The app service itself needs connection to the remote database. We want to move away from using the Hybrid Connection Manager and connect "straight" to the vendor's database by port forwarding the SQL service to the host on the vendor's side. I put straight in quotes, because we'd actually be connecting to pfsense and the traffic would be NATd

        Let me know if you have any other questions, and thank you for the reply!

        V 1 Reply Last reply Apr 19, 2023, 9:09 PM Reply Quote 0
        • V
          viragomann @jacksongrow
          last edited by Apr 19, 2023, 9:09 PM

          @jacksongrow said in NAT for IPsec Host:

          The local and remote is what's configured on the PH2 side of the IPsec tunnel. I should've clarified that

          This makes it more unclear to me. That's not how I know as BINAT works.
          When configuring BINAT, you have to state a local network, a "NAT/BINAT translation" and a remote network. The NAT/BINAT translation has to be an address, which is routed to you from the remote site. Hence it cannot be part of the remote network at all.

          Which networks are routed to your site?

          J 1 Reply Last reply Apr 20, 2023, 4:21 PM Reply Quote 0
          • J
            jacksongrow @viragomann
            last edited by Apr 20, 2023, 4:21 PM

            @viragomann I must not be communicating it correctly. See my configuration below. We need BI/NAT translation because traffic on the other end needs to come from 172.16.0.3

            0c2103d7-bdac-48b5-a68f-c34e4534ec59-image.png

            V 1 Reply Last reply Apr 20, 2023, 4:50 PM Reply Quote 0
            • V
              viragomann @jacksongrow
              last edited by Apr 20, 2023, 4:50 PM

              @jacksongrow
              So you have a wide /16 local network defined in the P2. I assume that this also includes the IP of your app server. So I'd expect this to work anyway from the IPSec settings.

              I suspect that there is another reason for the issue.
              Is the access to the remote site allowed by a firewall rule in pfSense?
              Or more probably, is it allowed in Azure NSG (outbound) for the app server?

              J 1 Reply Last reply Apr 20, 2023, 5:38 PM Reply Quote 0
              • J
                jacksongrow @viragomann
                last edited by Apr 20, 2023, 5:38 PM

                @viragomann No, the app server is not connected to the LAN of our pfsense in any way. It is not apart of the 10.11.0.0/16 subnet. It is purely an external machine that we want to trust.

                Basically, I want to open our vendor's database to the public using our pfsense server, but only allow trusted IPs to connect to port 1433.

                V 1 Reply Last reply Apr 20, 2023, 5:49 PM Reply Quote 0
                • V
                  viragomann @jacksongrow
                  last edited by Apr 20, 2023, 5:49 PM

                  @jacksongrow
                  It's pretty hard to follow your explanations:

                  We need this so our database (which is in Azure) can query the vendor's database

                  the pfsense is in Azure

                  The app service itself needs connection to the remote database.

                  No, the app server is not connected to the LAN of our pfsense in any way

                  Now what / where is the "app server"?
                  What's it's IP, network?

                  J 1 Reply Last reply Apr 20, 2023, 10:01 PM Reply Quote 0
                  • J
                    jacksongrow @viragomann
                    last edited by Apr 20, 2023, 10:01 PM

                    @viragomann I already mentioned our app server is not connected to pfsense's LAN. The app server has a public IP.

                    All I want to do is port forward 1433 to a host behind the IPsec tunnel. The app server isn't relevant to the conversation. It is simply an external host.

                    V 1 Reply Last reply Apr 21, 2023, 10:23 AM Reply Quote 0
                    • V
                      viragomann @jacksongrow
                      last edited by Apr 21, 2023, 10:23 AM

                      @jacksongrow
                      So is this SQL connection encrypted? It's not recommended at all to route unencrypted SQL connections over the internet.

                      I would rather run an IPSec client on the app server, connecting to the same server as the road warriors and go through the tunnel.
                      This would secure the SQL connection and also solve your access problem.

                      J 1 Reply Last reply Apr 21, 2023, 3:31 PM Reply Quote 0
                      • J
                        jacksongrow @viragomann
                        last edited by Apr 21, 2023, 3:31 PM

                        @viragomann This is actually something I didn't consider and it appears the traffic is unencrypted. The app server is not a server, but an App Service in Azure, so there's no way to setup an IPsec client unfortunately. However, I think we might be stuck with VNet integration, but I'm not understanding how that works.

                        I guess that closes this issue, though!

                        V 1 Reply Last reply Apr 21, 2023, 4:14 PM Reply Quote 0
                        • V
                          viragomann @jacksongrow
                          last edited by Apr 21, 2023, 4:14 PM

                          @jacksongrow said in NAT for IPsec Host:

                          The app server is not a server, but an App Service in Azure

                          So you could route the connection inside Azure, however, and need not to pass it over the internet.

                          I think we might be stuck with VNet integration

                          I'm not experienced with Azure services, but multiple VNets can be peered to route traffic from one to another inside Azure. I assume, that there might be a similar function for services.

                          Then you could add an additional phase 2 for the app service.

                          J 1 Reply Last reply Apr 24, 2023, 3:14 PM Reply Quote 0
                          • J
                            jacksongrow @viragomann
                            last edited by Apr 24, 2023, 3:14 PM

                            @viragomann I got the Vnet integration working and the App Service can communicate with pfsense. Now, I want to port forward 1433 so the App Service can connect to the SQL server, but I'm still stuck with the same issue. My NAT rules don't seem to be effective.

                            V 1 Reply Last reply Apr 24, 2023, 4:07 PM Reply Quote 0
                            • V
                              viragomann @jacksongrow
                              last edited by Apr 24, 2023, 4:07 PM

                              @jacksongrow
                              So you can see already the packets from the app services arriving on pfSense on port 1433?

                              If so simply forward them on the interface, where the connection is coming in.

                              In the IPSec S2S settings copy the existing phase 2 and change the "Local Network" to Address and state the IP of the app server and change the BINAT address to the designated one.

                              J 1 Reply Last reply Apr 25, 2023, 12:40 PM Reply Quote 0
                              • J
                                jacksongrow @viragomann
                                last edited by Apr 25, 2023, 12:40 PM

                                @viragomann Thank you for the guidance. I couldn't add a ph2 because the other end wouldn't connect, but I was able to configure the local as 10.0.0.0/8 and that covers everything we need.

                                The port forward ended up working for 1433 and it went through !

                                Thank you for your help!

                                1 Reply Last reply Reply Quote 0
                                15 out of 15
                                • First post
                                  15/15
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                  This community forum collects and processes your personal information.
                                  consent.not_received