Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT-T Help, please- I think incorrect Local IP in status

    Scheduled Pinned Locked Moved IPsec
    7 Posts 2 Posters 3.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      thesidetalker
      last edited by

      Hey guys,

      I'm trying to help someone setup an IPsec tunnel between their two offices. In one office I can connect a DSL modem directly to the pfsense box. I can establish a tunnel to one of my boxes fine here. The problem I believe lies at the other location. At this one, a bunch of small suites share a Comcast business connection. The IT guy here says he has UDP and ESP ports 500 forwarded to our pfsense box. This is the setup-

      Comcast router
      WAN IP 75.144.x.x
      LAN IP 10.1.10.1

      pfSense
      WAN IP 10.1.10.31
      LAN 192.168.20.1

      Then behind the pfSense box, I have a switch and a few computers on the 192 subnet.

      In the IPsec status gui on this location, it has 10.1.10.31 as the Local IP. Shouldn't I have the public IP for the office here? (75.144.x.x) If I am correct, how do I go about changing this? I can't figure it out.  I'd appreciate any help here. I know I've missed something… somewhere.  Thanks

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        It can't have the public IP as the "local ip" since that IP is not on your firewall. The other end might show that as the remote IP, but the pfSense box doens't have any knowledge of the upstream IP in that way, even with port forwards.

        You should have them also forward udp/4500 and force NAT-T on to see if that helps (or if it's all pfSense, OpenVPN would work much, much better with NAT involved)

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • T
          thesidetalker
          last edited by

          Hmm, so do you think it should work as long as I have the proper ports forwarded?

          I thought it might not be working since the settings on each side don't appear to be the same to me. I thought they need to be exactly the same.

          IIRC, (i'll have to go double check later today) pfSense-1 has a tunnel from a.b.c.d to 75.144.x.x while pfSense-2 has a tunnel from 10.1.10.31 to a.b.c.d

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            That is how it will look when NAT is involved.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • T
              thesidetalker
              last edited by

              Thanks jimp, I'll give it another try today

              1 Reply Last reply Reply Quote 0
              • T
                thesidetalker
                last edited by

                Got it working jimp, thanks!

                My problem was on one end I was using a VLAN for the local subnet. The VLAN was configured wrong. This machine I'm using as a hub and will have multiple endpoints connected. I just want them on different subnets.

                Okay now for another problem. I think I have the VLAN configured wrong.. maybe. Or more likely, my firewall rules are incorrect. I have a few machines on the network behind that pfSense box I'm using as the IPsec hub. It has two nics and I have that VLAN on the LAN port. These machines can use the LAN IP as a gateway no problem, but if I configure them to use the VLAN as a gateway, no workie. I can't ping the VLAN IP from a local machine or ping local computers from the pfSense box through the VLAN.

                1 Reply Last reply Reply Quote 0
                • T
                  thesidetalker
                  last edited by

                  I think I found my problem, my switch sucks. It doesn't support it

                  @thesidetalker:

                  Got it working jimp, thanks!

                  My problem was on one end I was using a VLAN for the local subnet. The VLAN was configured wrong. This machine I'm using as a hub and will have multiple endpoints connected. I just want them on different subnets.

                  Okay now for another problem. I think I have the VLAN configured wrong.. maybe. Or more likely, my firewall rules are incorrect. I have a few machines on the network behind that pfSense box I'm using as the IPsec hub. It has two nics and I have that VLAN on the LAN port. These machines can use the LAN IP as a gateway no problem, but if I configure them to use the VLAN as a gateway, no workie. I can't ping the VLAN IP from a local machine or ping local computers from the pfSense box through the VLAN.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.