NAT to remote private network (across VPN)
-
Hello.
I have a single pfSense box, it manages siteA, and is also the OpenVPN server for a remote siteB (siteB connects as a client site-to-site to siteA).
I want to NAT on a public IP address on the WAN interface of siteA, to an internal IP address on the siteB network.
So instead of NAT for an IP just on the other side of the siteA router (in the LAN), I want to go back across the VPN to siteB. I can't use the same method and just redirect to the private IP address of the remote siteB network, the same way I would usually do NAT, (firewalling aside, don't worry I won't mess that part up, just talking about NAT here).
You might ask… Why don't I just use the public IP address of the remote network and do simple NAT task there, well... I can't in this case, we are relocating a device that needs to be accessed @ a public IP of siteA.
Thoughts? Thanks.
-
You can do that. You also need to source NAT before it goes across the VPN so the reply goes back out via site A, otherwise you'll break the TCP connection. Or in 2.1 it's possible to utilize reply-to for the return routing without doing source NAT.
-
I am unclear on Source NAT. Does this mean I need two NAT rules? One for the port forward from the public internet, and then another for the "source" which is the internal IP on the siteB network?
Thanks
@cmb:
You can do that. You also need to source NAT before it goes across the VPN so the reply goes back out via site A, otherwise you'll break the TCP connection. Or in 2.1 it's possible to utilize reply-to for the return routing without doing source NAT.
-
Yes. Source NAT is Outbound NAT.
-
-
@cmb:
You also need to source NAT before it goes across the VPN so the reply goes back out via site A, otherwise you'll break the TCP connection.
cmb: I am losing the reply on the siteB router. The reply begins from the remote host across the VPN, hits the LAN interface on the remote router, but doesn't go beyond that.
Are you telling me to do the source NAT before it goes BACK across the VPN from siteB to siteA or before it crosses the VPN from SiteA to SiteB alltogether? This will help me identify where the source NAT needs to be done. I have tried source NAT before it crosses the VPN, on siteA for the remote subnet, but haven't had luck.
I found this thread too which talks about the outbound nat on the openvpn interface. Jimp is discussing what I believe to be what I am looking for using OpenVPN…
http://forum.pfsense.org/index.php/topic,53776.0.html.As I mentioned, it can be made to work with OpenVPN and outbound NAT - outbound NAT will change the source (akin to Source NAT on linux). You can setup an outbound NAT rule on the OpenVPN interface and new connections leaving via the VPN will have NAT applied so they appear to originate from the firewall on the side you're forwarding from.
You'd want to switch to manual outbound NAT, and then add two rules:
1. Do NOT nat on OpenVPN with a source of your private network
2. NAT on OpenVPN with a source of any, destination of your client system (the target of the port forward)That way your internal traffic would still go without NAT, and only the traffic coming from the Internet going to that one PC would have NAT applied.
The only thing that can NOT be done is:
1. Making this work on IPsec - that's not possible because this sort of NAT does not work with IPsec, and for the reasons mentioned previously with the Phase 2
2. Preserving the source IP on OpenVPN - yet. Possibly might be in 2.1 (there is a customer looking to fund that work if they can get approval from their employer).What does Jimp mean when he says "Private Network", (in bold)?:.. the OpenVPN network?
Also, "Destination of your client system (the target of the port forward)." Is this the IP address of the OpenVPN client on the OpenVPN subnet?My Networks:
siteA
LAN: 192.168.50.0/24
OpenVPN P-t-P 10.8.8.1/24siteB
LAN: 192.168.100.0/24
OpenVPN P-t-P 10.8.8.2/24My NAT is like this:
Port Forward
IF Proto Src_addr Src Prts Dest. Addr. Dest Prts. NAT IP NAT Prts.
OPT2 TCP public_remote_clients * public_virtual_IP_Address 80 192.168.100.65 80Outbound NAT
Let's not talk about the 10 or 20 different combinations of Outbound NAT I have tried, I just don't understand. The concept is probably simple but I need a clearer picture.
-
Ok I got it working now.
Here are all the parts, (I include the firewall rules too for the full task):
NAT
Port Forward:
If Proto Src. addr Src. ports Dest. addr Dest. ports NAT IP NAT Ports Description
WAN TCP public_remote_client * WAN Address 80 remote_server 80 NAT 80 to remote server
(or a virtual IP, across VPN
in my case I DID)Outbound NAT:
(this first rule has Do Not NAT checked)
If Source Src. ports Dest. addr Dest. ports NAT Addr NAT Port Description
OpenVPN remote * * * * * Do Not NAT
network for remote subnet
subnet across VPN
across
VPNIf Source Src. ports Dest. addr Dest. ports NAT Addr NAT Port Description
OpenVPN any * remote_server 80 * * NAT for remote_server
across VPN on remote subnet across VPNFirewall
rule for public facing interface, (ie: WAN) for public_remote_client to pass to remote_server across VPN:
ID Proto Source Port Destination Port Gateway Queue Schedule Description
TCP public_remote_client * remote_server 80 * none Pass traffic to remote_server
across VPNAnd the final part for my saga…
On the remote router across the VPN (siteB), I firewall the LAN interface there. I needed to allow the "remote_server across VPN" to be able to talk to the VPN subnet. I used a /30 netmask for 4 hosts, 2 usable since it's just a site-to-site, IE: 10.8.8.0/30.
So a firewall rule for that would look like this:
ID Proto Source Port Destination Port Gateway Queue Schedule Description
TCP remote_server * OpenVPN subnet * * none Allow remote_server across VPN
across VPN Reply back to OpenVPN subnet.Hope this helps someone, it sucked for a couple days. Thanks cmb and Jimp!
The post doesn't look very good without a decent size LCD as it gets smashed on more lines and goes out of whack, fyi.