Destination NAT/port forward on policy-based IPsec Site-to-Site VPN
-
Is it possible to create multiple Destination NAT or Port Forward on the IPSEC interface next to a source NAT ?
Example:
I need to NAT-ed the local network at Site A to hide it from the local network at Site B and I need to solve the following:- Site A's local network can reach Site B's local network from a source address (from one IP like outbount/source NAT/PAT do)
- at the same time Site B's local network must reach two hosts on Site A's local network. So I need to create two destination NATs on side A to forward the packets to the appropriate servers.
In Netgate's online documentation, I have only read about 1:1 or PAT solution, which can be set in the IPSEC VPN Phase2 entries (NAT/BINAT), but this does not give a proper solution to the above. However, I saw I am able to create NAT rules with IPSEC interface selected under both Outbound and Port Forward in the Firewall/NAT menu.
Is this possible in pfsense plus? -
@Istvan-Horvath said in Destination NAT/port forward on policy-based IPsec Site-to-Site VPN:
I need to NAT-ed the local network at Site A to hide it from the local network at Site B and I need to solve the following:
What's the meaning of hiding the site local network?
at the same time Site B's local network must reach two hosts on Site A's local network. So I need to create two destination NATs on side A to forward the packets to the appropriate servers.And here you want to use alias IPs for the server at A as well?
-
This post is deleted! -
@viragomann
Hi viragomann,thank you for your answer!
Hide means - use masquerade (hide) NAT - allows you to translate multiple IP addresses (here site A's local network address range) to another single IP address or range. So Site B and its local network does not know anything about the actual, real ip address range on site A's local network.
And Yes, I want to use two alias IPs for the two hosts in the destination NAT rules, from the same range as the one I used for masquerade NAT.
Thank you!
-
@Istvan-Horvath
So what if you just do a BINAT in the phase 2?E.g. A LAN is 10.10.0.0/16
You can state a BINAT subnet for it, say 172.20.0.0/16
Then site B sees only 172.20.0.0/16 and needs to use this range to talk to A. It also needs to use this in its phase 2 as remote subnet.
And to access for instance 10.10.5.5 from B you need to enter 172.20.5.5. -
@viragomann
So, what I didn't know is that BINAT works by having a 1:1 mapping between the ip addresses of two ip ranges of the same size? As you wrote 10.10.5.5 to 172.20.5.5 and 10.10.5.6 to 172.20.5.6 and so on.Yes, it can work, but if Site B has specified what IP range it wants to see Site A's local network from, and it is smaller than Site A's LAN ip range, then BINAT can no longer be used to do this as I know.
E.g. A LAN is 10.10.0.0/24 and the NAT address range what Site B has specified as its remote subnet is 172.20.0.0/29 then I cannot use it as BINAT subnet in settings of Site A's phase 2.So it occurred to me that, staying with the previous example, I could simply specify 172.20.0.0.0/29 as the local network in the phase 2 configuration of site A, and create an outbound NAT (PAT) on the IPSEC interface, for example - 10.10.0.0/24 translated to 172.20.0.1/32 and create two Port Forward rules also on the IPSEC interface, these translate for example 172.20.0.5:443 to 10.10.0.10:443 and 172.20.0.6:443 to 10.10.0.20:443.
Do you think this could work? -
@Istvan-Horvath said in Destination NAT/port forward on policy-based IPsec Site-to-Site VPN:
E.g. A LAN is 10.10.0.0/24 and the NAT address range what Site B has specified as its remote subnet is 172.20.0.0/29 then I cannot use it as BINAT subnet in settings of Site A's phase 2.
So it occurred to me that, staying with the previous example, I could simply specify 172.20.0.0.0/29 as the local network in the phase 2 configuration of site A, and create an outbound NAT (PAT) on the IPSEC interface, for example - 10.10.0.0/24 translated to 172.20.0.1/32
This can be done in the phase 2 as well. At BINAT select "address" and specify 172.20.0.1.
However, this only enable site A to access site B, not the other way round. Site B needs a phase 2 for this IP.
and create two Port Forward rules also on the IPSEC interface, these translate for example 172.20.0.5:443 to 10.10.0.10:443 and 172.20.0.6:443 to 10.10.0.20:443.
Port forwarding might work here, but you will need an additional phase 2 for the alias IPs and this must not overlap the other. So this example would not work.
You could also do the translation with phase 2 BINAT then. -
@viragomann
Okay, I understand! Thanks for your help! In two weeks the connection will be implemented, then I'll get back to you on this.