NAT through VPN?



  • Hi,

    I tried earlier to use an IP on the other side of a VPN tunnel as target for a NAT mapping, think it was a web server. Should this work? I couldn't get it to work despite being able to ping back and forth through the tunnel.

    The scenario being that the target machine is placed elswehere and there being a VPN tunnel set up between two pfS boxes, so every request for the web server should go over the VPN.

    TIA,



  • Is the traffic for this webserver always going over the VPN?
    As in, is the other side of the tunnel the default gateway for the server?
    Otherwise i see the problem, that the traffic from the NAT mapping gets to the server, but takes a different way back to the internet.

    To get around this you would have to enable "source NAT" (AoN NAT-rule for traffic to the server), so that inbound traffic appears as if from the pfSense.
    –> The answer to the request to the server takes the correct way out to the internet.

    IMO this should possible, but i never tried.



  • @GruensFroeschli:

    Is the traffic for this webserver always going over the VPN?

    Yes that is the idea.

    As in, is the other side of the tunnel the default gateway for the server?
    Otherwise i see the problem, that the traffic from the NAT mapping gets to the server, but takes a different way back to the internet.

    To get around this you would have to enable "source NAT" (AoN NAT-rule for traffic to the server), so that inbound traffic appears as if from the pfSense.
    –> The answer to the request to the server takes the correct way out to the internet.

    IMO this should possible, but i never tried.

    True, cannot remember if I thought of that. I'll try to remember to doublecheck that when trying this again. But I should be able to simply use the local pfS IP then on the other side of the VPN, it must be an IP/machine that does routing I mean.

    Thanks,



  • @0tt0:

    @GruensFroeschli:

    Is the traffic for this webserver always going over the VPN?

    Yes that is the idea.

    So you essentially have as default gateway the VPN itself.
    In this case all traffic should always come back to the pfSense and thus shouldnt need source NAT.


Log in to reply