Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Forward traffic from internet through ipsec

    NAT
    2
    3
    257
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      CrB9987
      last edited by

      Hello Guys,

      I received a weird task from one of my clients.

      They have a pfsense in their office and something else in a remote site call it X

      The pfsense and X are connected through ipsec in tunnel mode. We are not allowed to use VTI for this because of the remote site.
      Ipsec:
      Local: 192.168.1.0/24
      Remote 10.10.10.0/24

      They have a server behind the device X with an ip of: 10.10.10.250/24
      The pfsense IP is: 192.168.1.1/24

      The server is configured in a way that it's only accepts packets from 192.168.1.1 on port 27010 -> we are not able to change this either.

      My clients wants that if he's calling the pfsense public ip on port 27010 the pfsense should route the traffic to this server.
      So the traffic needs to look l ike this:
      User->PFSense Public IP:27010 -> Change src address to: 192.168.1.1 -> IPSEC Tunnel -> 10.10.10.250:27010

      What i tried:
      I tried to set up a port forward from WAN Address:27010 to 10.10.10.250:27010 and set up a outbound nat on WAN interface where the destination is 10.10.10.250 27010 port and the translation address is set to 192.168.1.1

      With this set up i was able to see in the states menu that the source address is translated to 192.168.1.1 the destination address is translated to 10.10.10.250 but the interfaces is still WAN and it doesn't go through the ipsec tunnel.

      Is this even solvable without any other VM ? If it is, what am i missing ?

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @CrB9987
        last edited by

        @CrB9987
        IPSec isn't really appropriate to handle such job. But you can try the following.

        NAT port forwarding as you already have: WAN:27010 > 10.10.10.250:27010

        In IPSec add an additional phase 2:
        local: 0.0.0.0/0
        BINAT: address > 192.168.1.1
        remote: address > 10.10.10.250
        Move this p2 up to the top.

        If this succeed depends on the remote "something else". Not all implementations accept a second p2 for the an overlapping subnet.

        C 1 Reply Last reply Reply Quote 1
        • C
          CrB9987 @viragomann
          last edited by

          @viragomann
          Thanks for the tip. I tried this method on eve ng it was working fine. Unfortunatelly i dont have access to the other device and they are not cooperative at all, so i have to use only this pfsense for this. I belive that the other device is a virtualized juniper, i think it can handle multiple ph2 entries but they are not willing to change their configuration.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.