Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT to remote private network (across VPN)

    Scheduled Pinned Locked Moved NAT
    7 Posts 2 Posters 5.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wm408
      last edited by

      Hello.

      I have a single pfSense box, it manages siteA, and is also the OpenVPN server for a remote siteB (siteB connects as a client site-to-site to siteA).

      I want to NAT on a public IP address on the WAN interface of siteA, to an internal IP address on the siteB network.

      So instead of NAT for an IP just on the other side of the siteA router (in the LAN), I want to go back across the VPN to siteB.  I can't use the same method and just redirect to the private IP address of the remote siteB network, the same way I would usually do NAT, (firewalling aside, don't worry I won't mess that part up, just talking about NAT here).

      You might ask… Why don't I just use the public IP address of the remote network and do simple NAT task there, well... I can't in this case, we are relocating a device that needs to be accessed @ a public IP of siteA.

      Thoughts?  Thanks.

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        You can do that. You also need to source NAT before it goes across the VPN so the reply goes back out via site A, otherwise you'll break the TCP connection. Or in 2.1 it's possible to utilize reply-to for the return routing without doing source NAT.

        1 Reply Last reply Reply Quote 0
        • W
          wm408
          last edited by

          I am unclear on Source NAT.  Does this mean I need two NAT rules?  One for the port forward from the public internet, and then another for the "source" which is the internal IP on the siteB network?

          Thanks

          @cmb:

          You can do that. You also need to source NAT before it goes across the VPN so the reply goes back out via site A, otherwise you'll break the TCP connection. Or in 2.1 it's possible to utilize reply-to for the return routing without doing source NAT.

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            Yes. Source NAT is Outbound NAT.

            1 Reply Last reply Reply Quote 0
            • W
              wm408
              last edited by

              Ahhh… Thanks.  I will test.

              @cmb:

              Yes. Source NAT is Outbound NAT.

              1 Reply Last reply Reply Quote 0
              • W
                wm408
                last edited by

                @cmb:

                You also need to source NAT before it goes across the VPN so the reply goes back out via site A, otherwise you'll break the TCP connection.

                cmb: I am losing the reply on the siteB router.  The reply begins from the remote host across the VPN, hits the LAN interface on the remote router, but doesn't go beyond that.

                Are you telling me to do the source NAT before it goes BACK across the VPN from siteB to siteA or before it crosses the VPN from SiteA to SiteB alltogether?  This will help me identify where the source NAT needs to be done.  I have tried source NAT before it crosses the VPN, on siteA for the remote subnet, but haven't had luck.

                I found this thread too which talks about the outbound nat on the openvpn interface.  Jimp is discussing what I believe to be what I am looking for using OpenVPN…
                http://forum.pfsense.org/index.php/topic,53776.0.html.

                @jimp:

                As I mentioned, it can be made to work with OpenVPN and outbound NAT - outbound NAT will change the source (akin to Source NAT on linux). You can setup an outbound NAT rule on the OpenVPN interface and new connections leaving via the VPN will have NAT applied so they appear to originate from the firewall on the side you're forwarding from.

                You'd want to switch to manual outbound NAT, and then add two rules:
                1. Do NOT nat on OpenVPN with a source of your private network
                2. NAT on OpenVPN with a source of any, destination of your client system (the target of the port forward)

                That way your internal traffic would still go without NAT, and only the traffic coming from the Internet going to that one PC would have NAT applied.

                The only thing that can NOT be done is:
                1. Making this work on IPsec - that's not possible because this sort of NAT does not work with IPsec, and for the reasons mentioned previously with the Phase 2
                2. Preserving the source IP on OpenVPN - yet. Possibly might be in 2.1 (there is a customer looking to fund that work if they can get approval from their employer).

                What does Jimp mean when he says "Private Network", (in bold)?:.. the OpenVPN network?
                Also, "Destination of your client system (the target of the port forward)."  Is this the IP address of the OpenVPN client on the OpenVPN subnet?

                My Networks:

                siteA
                LAN: 192.168.50.0/24
                OpenVPN P-t-P 10.8.8.1/24

                siteB
                LAN: 192.168.100.0/24
                OpenVPN P-t-P 10.8.8.2/24

                My NAT is like this:

                Port Forward

                IF     Proto    Src_addr                Src Prts            Dest. Addr.                 Dest Prts.   NAT IP          NAT Prts.
                OPT2 TCP public_remote_clients  *      public_virtual_IP_Address       80 192.168.100.65     80

                Outbound NAT

                Let's not talk about the 10 or 20 different combinations of Outbound NAT I have tried, I just don't understand.  The concept is probably simple but I need a clearer picture.

                1 Reply Last reply Reply Quote 0
                • W
                  wm408
                  last edited by

                  Ok I got it working now.

                  Here are all the parts, (I include the firewall rules too for the full task):

                  NAT

                  Port Forward:

                  If          Proto          Src. addr          Src. ports          Dest. addr          Dest. ports          NAT IP          NAT Ports          Description
                  WAN          TCP      public_remote_client     *               WAN Address            80               remote_server       80         NAT 80 to remote server
                                                                                            (or a virtual IP,                             across VPN
                                                                                            in my case I DID)

                  Outbound NAT:

                  (this first rule has Do Not NAT checked)
                  If             Source          Src. ports          Dest. addr          Dest. ports          NAT Addr          NAT Port          Description
                  OpenVPN   remote               *                       *                      *                     *                      *              Do Not NAT
                                network                                                                                                                             for remote subnet
                                subnet                                                                                                                              across VPN
                                across
                                VPN

                  If             Source          Src. ports          Dest. addr          Dest. ports          NAT Addr          NAT Port          Description
                  OpenVPN     any                  *               remote_server           80                      *                    *               NAT for remote_server
                                                                          across VPN                                                                               on remote subnet across VPN

                  Firewall

                  rule for public facing interface, (ie: WAN) for public_remote_client to pass to remote_server across VPN:

                  ID         Proto          Source             Port         Destination         Port         Gateway         Queue         Schedule         Description
                                 TCP    public_remote_client    *         remote_server        80               *               none                               Pass traffic to remote_server
                                                                                    across VPN

                  And the final part for my saga…

                  On the remote router across the VPN (siteB), I firewall the LAN interface there.  I needed to allow the "remote_server across VPN" to be able to talk to the VPN subnet.  I used a /30 netmask for 4 hosts, 2 usable since it's just a site-to-site, IE: 10.8.8.0/30.

                  So a firewall rule for that would look like this:

                  ID         Proto          Source             Port         Destination         Port         Gateway         Queue         Schedule         Description
                             TCP           remote_server     *        OpenVPN subnet       *               *               none                                Allow remote_server across VPN
                                             across VPN                                                                                                                        Reply back to OpenVPN subnet.

                  Hope this helps someone, it sucked for a couple days.  Thanks cmb and Jimp!
                  The post doesn't look very good without a decent size LCD as it gets smashed on more lines and goes out of whack, fyi.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.