Need outbound NAT help
-
I have my own pfSense box and access to a buddy's pfSense box in another state. Both are running 2.7.2 CE. I have a network on a router interface named VPNNET configured as 192.168.3.0/28. I followed the instructions at this location to establish a working IPSec tunnel:
https://docs.netgate.com/pfsense/en/latest/recipes/ipsec-s2s-psk.html
The tunnel works properly since it shows the same status as in the directions, plus if I ping the remote WAN address when on a box on my 192.168.3.0 network, it works, but pinging from a box on my 192.168.1.1 (LAN) network does not work. This tells me that traffic from 192.168.3.0 is going through the tunnel properly. All good there. The problem is when I try to follow these instructions:
https://docs.netgate.com/pfsense/en/latest/recipes/ipsec-s2s-route-internet-traffic.html
I set the remote and local networks to 0.0.0.0 as it specifies, and created an outbound rule. This is not working. I do not see "Interface Address" as a translation address option, only "Network or Alias" and "Wan Address" and "LAN Address" as options. Can someone give me a step-by step process to create a working rule to get my 192.168.3.0/28 traffic out my buddy's WAN interface?
-
@Shack After some more testing I notice that I can ping the remote WAN address over the tunnel, and can access its web config as well. I cannot access the 192.168.1.0 network on the other end by any means. That includes the router's WAN address, 192.168.1.1, nor any host that I see in the list of DHCP leases. I set up rules to pass traffic from 192.168.3.0 to both the WAN and LAN on those interfaces but they seem to have no effect, showing 0 states/0 traffic.
-
@Shack Try setting it to "WAN Address". This will replace the original source address with the WAN interface address before it gets sent out the WAN interface, which will allow devices on the internet to properly route the reply traffic.
-
@andrew_cb I have set it to WAN address but once traffic arrives at the distant end it goes nowhere. I can access the GUI on the distant end and check DHCP leases, then ping hosts on the distant LAN from my VPNNET. I can go to the distant pfSense ping page and ping my own box from that router as well. The tunnel is working perfectly, but the distant router seems to do nothing with the traffic from my VPNNET once it arrives.
As a double check, my outbound NAT rule at the distant end is as follows:
Mappings:
Interface - WAN
Source - 192.168.3.0/28 (my VPNNET)
Source Port - *
Destination - *
Destination Port - *
NAT Address - WAN address
NAT Port - *Does anything need changed that I'm missing? Should I create a gateway and do some static routing on the distant end or somesuch?
-
@Shack Run a packet capture on the IPsec interface on the far end and check it with Wireshark - what does it show, particularly, what is the source and destination IP addresses? Is the traffic only one-directional?
Do you have a firewall rule on the far IPsec interface to allow traffic from the 192.168.3.0/28 subnet to any destination (or make an alias with all the local networks you don't want the VPN to have access to, and set the destination to 'NOT' that alias. -
@andrew_cb The packet capture on the far end idea isn't workable with that pfSense box a few states away. I set it up for a buddy who isn't so network savvy. As part of my straw grasping to get the traffic to flow, I put a rule on the distant WAN, LAN, and IPSEC interfaces allowing 192.168.3.0/28 as the source going to any destination. If I can ping any box on the distant LAN from my box on the 192.168.3 network and the distant pfSense can ping my 192.168.3 box via the ping page, can I not conclude that traffic is going both ways?
To double check my understanding, if I try to access a remote site like Google from my 192.168.3 network, traffic leaves my box with source 192.168.3.x and destination google.com, correct? Then it traverses the tunnel and comes out on the distant end with the same source and destination. If so, the traffic cannot go further than that, similar to what I get if my modem is unplugged - I can access the local network all I want but cannot get out of it. I thought by configuring outbound NAT, traffic exiting the tunnel would reach the distant pfSense and get NATted and go out to whatever destination, such as Google.
One last curiosity - if I check the gateway status on the distant end, it shows WAN_DHCP as offline with 100% packet loss. On my box the status for this gateway is online with 0% packet loss. I'm unsure what that means since I would think that my buddy's network is not functioning if his gateway is down. I can access his web configuration from a box on my LAN via a firewall rule allowing my WAN IP into his WAN IP, or via the tunnel through my VPNNET.
-
@Shack How is the gateway monitoring setup? Do you mean if you login to your friend's firewall, the gateway shows as offline with 100% packet loss?
If that is the case, then you might want to either change the Monitor IP on the gateway or disable monitoring completely as a test.
-
@andrew_cb I'm guessing that pfSense defaults to having the monitor IP the same as the gateway, both boxes have that. In other words, they DHCP into the ISP network at whatever address, then the gateway is the router for that network. I can't imagine why it's up on my box and down on the other box. I configured it with all default settings and mailed it to my buddy to set up on his network.
-
@Shack Have you buddy try changing the monitor IP to something like 8.8.8.8 and see if that gets the gateway to Online status. Or just disable gateway monitoring - it won't really affect anything if you only have a single WAN connection anyways.
-
@andrew_cb Disabled monitoring, no effect on not passing traffic through NAT.