NAT forward over IPSEC tunnel



  • Hi There,

    We use pfSense for some weeks and really love it :) cant wait for the 2.1 release. But for now we do have a strange issue. Or atleast something I do not fully understand how to fix.

    I search a lot on the forum but could not find any proper solution for this.

    We have a site to site IPsec tunnel. The picture looks like this:

    –-----------                  ---------------                 ///////\                 --------------                   ------------
    | Client's | >>> if.LAN| pfSense1  |if.wan >>  | internet |  >> if.wan| pfSense2 | if.lan >>> | clients |
    {           192.168.120.0/22         }|if.ipsec ============  if.ipsec|{          192.168.124.0/22        }
    -------------                  ---------------                 ///////                 --------------                   -----------

    The 2 pfSense machines have an IPsec tunnel between them. this works great.

    The problem:
    We would love to forward a port from pfsense2 WAN interface to a client in the pfSense1 LAN network.

    So then it looks like this:
    8.8.8.8 > pf2.wan > NAT > pf2.IPsec > pf1.ipsec > pf1.lan > client

    The best outcome would be wen the return path would look like this:
    client > pf1.lan > pf1.ipsec > pf2.ipsec > nat > pf2.wan > 8.8.8.8

    But as far as i can see the return path looks like this:
    client > pf1.lan > NAT > pf1.WAN > 8.8.8.8 (and ofcourse 8.8.8.8 drops the request.

    So now the question is. Is there anything we can do about this? Would love to preserve the original IP of the connection and route it through pf2. But if that is not possible is there anyway i could mask the source ip? and replace it with the pf2.lan ip?

    Thank you in advanced!


  • Rebel Alliance Developer Netgate

    That isn't possible for a couple reasons:

    1. The traffic won't go over IPsec unless it matches the Phase 2 SPD - unless the client's "remote" side of the p2 is set to 0.0.0.0/0 that means the traffic wouldn't make it across the IPsec tunnel.
    2. Even if it did, there is nothing telling the firewall that the reply traffic should go back over the IPsec tunnel, so it tries to go out the default WAN. If the remote p2 were 0.0.0.0/0 it would, but that would also mean everything on that site's Internet connection was routing over the IPsec as well.

    This is more feasible to do with OpenVPN, and masking the source as it leaves the server side router (outbound NAT on the OpenVPN interface for traffic going to that client). In the future this may work with OpenVPN if/when we get reply-to working for assigned OpenVPN interfaces, then pf can track the inbound traffic and send replies back the proper path. Currently we don't use reply-to on VPN rules since we can't accurately determine the gateway in most cases – and with IPsec there is no gateway so that trick could never work there.



  • Thanks for the reply. I read about the OpenVPN and NAT effort.
    Since this isn't working at the moment. Does that mean there is no way this will work at the moment.

    Under linux the fix would be to use Source NAT in some way and replace the source IP of the package.

    Doens't Source NAT exsist in pfsense? or doesn't it work with ipsec? (because it's on the exit site and not in the incomming side?)

    Thanks for the help.


  • Rebel Alliance Developer Netgate

    As I mentioned, it can be made to work with OpenVPN and outbound NAT - outbound NAT will change the source (akin to Source NAT on linux). You can setup an outbound NAT rule on the OpenVPN interface and new connections leaving via the VPN will have NAT applied so they appear to originate from the firewall on the side you're forwarding from.

    You'd want to switch to manual outbound NAT, and then add two rules:
    1. Do NOT nat on OpenVPN with a source of your private network
    2. NAT on OpenVPN with a source of any, destination of your client system (the target of the port forward)

    That way your internal traffic would still go without NAT, and only the traffic coming from the Internet going to that one PC would have NAT applied.

    The only thing that can NOT be done is:
    1. Making this work on IPsec - that's not possible because this sort of NAT does not work with IPsec, and for the reasons mentioned previously with the Phase 2
    2. Preserving the source IP on OpenVPN - yet. Possibly might be in 2.1 (there is a customer looking to fund that work if they can get approval from their employer).



  • We have similar question on similar setup:
    Peer WAN IP
    Peer NAT'd IP (ISP routeable IP)
    Peer priv IP not exposed to us.

    Our WAN IP
    Peer NAT'd IP (ISP routeable IP)
    Internal Priv IP (peer does not want to receive from this IP)

    Any suggestions on how I can get this configured on pfSense? I tried outbound rules, tried using the priv ip as part of phase 2, but ignores the NAT so peer sees attempt of communication from our priv IP.



  • what is your exact question? what do you like to do?


Log in to reply