NAT to remote private network (across VPN)



  • Hello.

    I have a single pfSense box, it manages siteA, and is also the OpenVPN server for a remote siteB (siteB connects as a client site-to-site to siteA).

    I want to NAT on a public IP address on the WAN interface of siteA, to an internal IP address on the siteB network.

    So instead of NAT for an IP just on the other side of the siteA router (in the LAN), I want to go back across the VPN to siteB.  I can't use the same method and just redirect to the private IP address of the remote siteB network, the same way I would usually do NAT, (firewalling aside, don't worry I won't mess that part up, just talking about NAT here).

    You might ask… Why don't I just use the public IP address of the remote network and do simple NAT task there, well... I can't in this case, we are relocating a device that needs to be accessed @ a public IP of siteA.

    Thoughts?  Thanks.



  • You can do that. You also need to source NAT before it goes across the VPN so the reply goes back out via site A, otherwise you'll break the TCP connection. Or in 2.1 it's possible to utilize reply-to for the return routing without doing source NAT.



  • I am unclear on Source NAT.  Does this mean I need two NAT rules?  One for the port forward from the public internet, and then another for the "source" which is the internal IP on the siteB network?

    Thanks

    @cmb:

    You can do that. You also need to source NAT before it goes across the VPN so the reply goes back out via site A, otherwise you'll break the TCP connection. Or in 2.1 it's possible to utilize reply-to for the return routing without doing source NAT.



  • Yes. Source NAT is Outbound NAT.



  • Ahhh… Thanks.  I will test.

    @cmb:

    Yes. Source NAT is Outbound NAT.



  • @cmb:

    You also need to source NAT before it goes across the VPN so the reply goes back out via site A, otherwise you'll break the TCP connection.

    cmb: I am losing the reply on the siteB router.  The reply begins from the remote host across the VPN, hits the LAN interface on the remote router, but doesn't go beyond that.

    Are you telling me to do the source NAT before it goes BACK across the VPN from siteB to siteA or before it crosses the VPN from SiteA to SiteB alltogether?  This will help me identify where the source NAT needs to be done.  I have tried source NAT before it crosses the VPN, on siteA for the remote subnet, but haven't had luck.

    I found this thread too which talks about the outbound nat on the openvpn interface.  Jimp is discussing what I believe to be what I am looking for using OpenVPN…
    http://forum.pfsense.org/index.php/topic,53776.0.html.

    @jimp:

    As I mentioned, it can be made to work with OpenVPN and outbound NAT - outbound NAT will change the source (akin to Source NAT on linux). You can setup an outbound NAT rule on the OpenVPN interface and new connections leaving via the VPN will have NAT applied so they appear to originate from the firewall on the side you're forwarding from.

    You'd want to switch to manual outbound NAT, and then add two rules:
    1. Do NOT nat on OpenVPN with a source of your private network
    2. NAT on OpenVPN with a source of any, destination of your client system (the target of the port forward)

    That way your internal traffic would still go without NAT, and only the traffic coming from the Internet going to that one PC would have NAT applied.

    The only thing that can NOT be done is:
    1. Making this work on IPsec - that's not possible because this sort of NAT does not work with IPsec, and for the reasons mentioned previously with the Phase 2
    2. Preserving the source IP on OpenVPN - yet. Possibly might be in 2.1 (there is a customer looking to fund that work if they can get approval from their employer).

    What does Jimp mean when he says "Private Network", (in bold)?:.. the OpenVPN network?
    Also, "Destination of your client system (the target of the port forward)."  Is this the IP address of the OpenVPN client on the OpenVPN subnet?

    My Networks:

    siteA
    LAN: 192.168.50.0/24
    OpenVPN P-t-P 10.8.8.1/24

    siteB
    LAN: 192.168.100.0/24
    OpenVPN P-t-P 10.8.8.2/24

    My NAT is like this:

    Port Forward

    IF     Proto    Src_addr                Src Prts            Dest. Addr.                 Dest Prts.   NAT IP          NAT Prts.
    OPT2 TCP public_remote_clients  *      public_virtual_IP_Address       80 192.168.100.65     80

    Outbound NAT

    Let's not talk about the 10 or 20 different combinations of Outbound NAT I have tried, I just don't understand.  The concept is probably simple but I need a clearer picture.



  • Ok I got it working now.

    Here are all the parts, (I include the firewall rules too for the full task):

    NAT

    Port Forward:

    If          Proto          Src. addr          Src. ports          Dest. addr          Dest. ports          NAT IP          NAT Ports          Description
    WAN          TCP      public_remote_client     *               WAN Address            80               remote_server       80         NAT 80 to remote server
                                                                              (or a virtual IP,                             across VPN
                                                                              in my case I DID)

    Outbound NAT:

    (this first rule has Do Not NAT checked)
    If             Source          Src. ports          Dest. addr          Dest. ports          NAT Addr          NAT Port          Description
    OpenVPN   remote               *                       *                      *                     *                      *              Do Not NAT
                  network                                                                                                                             for remote subnet
                  subnet                                                                                                                              across VPN
                  across
                  VPN

    If             Source          Src. ports          Dest. addr          Dest. ports          NAT Addr          NAT Port          Description
    OpenVPN     any                  *               remote_server           80                      *                    *               NAT for remote_server
                                                            across VPN                                                                               on remote subnet across VPN

    Firewall

    rule for public facing interface, (ie: WAN) for public_remote_client to pass to remote_server across VPN:

    ID         Proto          Source             Port         Destination         Port         Gateway         Queue         Schedule         Description
                   TCP    public_remote_client    *         remote_server        80               *               none                               Pass traffic to remote_server
                                                                      across VPN

    And the final part for my saga…

    On the remote router across the VPN (siteB), I firewall the LAN interface there.  I needed to allow the "remote_server across VPN" to be able to talk to the VPN subnet.  I used a /30 netmask for 4 hosts, 2 usable since it's just a site-to-site, IE: 10.8.8.0/30.

    So a firewall rule for that would look like this:

    ID         Proto          Source             Port         Destination         Port         Gateway         Queue         Schedule         Description
               TCP           remote_server     *        OpenVPN subnet       *               *               none                                Allow remote_server across VPN
                               across VPN                                                                                                                        Reply back to OpenVPN subnet.

    Hope this helps someone, it sucked for a couple days.  Thanks cmb and Jimp!
    The post doesn't look very good without a decent size LCD as it gets smashed on more lines and goes out of whack, fyi.


Log in to reply