IPSEC and NAT



  • Hello everyone,

    I submit my problem. I need to create an IPSEC vpn with an institution which must reach a machine present in my DMZ (192.168.0.0/24). This institution, however, must reach the machine in the DMZ network pointing to a network set from them (10.210.xx/29). I then proceeded to create a VPN IPSEC putting the 10.210.xx as a local network and the network as a remote entity (10.50.xx/29). I then created a port forwarding on the IPSEC interface for connections to ftp direct to 10.210.xx, forwarding the connections to a machine of 192.168.0.0/24 DMZ network. I then started the vpn, which is established correctly. I noticed, however, that on pfSense, in the routing table, I can not find a route for the 10.50.xx/29. Addition, the institution can not reach my ftp server present in the DMZ. In your opinion this is a configuration that is manageable from pfSense (version 2.0.1)? Have you any idea what could be the problem? Thank you.



  • Since you want to present your DMZ through the VPN you should configure 192.168.0.0/24 as local network for the VPN. No port forwarding is required - you will have direct routing through the tunnel.
    Then add some firewall rules on the IPSEC interface.



  • @nothing:

    Since you want to present your DMZ through the VPN you should configure 192.168.0.0/24 as local network for the VPN. No port forwarding is required - you will have direct routing through the tunnel.
    Then add some firewall rules on the IPSEC interface.

    My local network must be the network choose by the institution (10.210.xx/29), I have no choice, because they must reach the machine in pointing to the network set from them. If I configure 192.168.0.0/24 as local network, the VPN does not work, because there is a mismatch between networks configured in pfSense and networks configured on the institution router.



  • You won't see route for the IPSEC.
    How does the port forwarding rule look like?



  • @nothing:

    You won't see route for the IPSEC.
    How does the port forwarding rule look like?

    Port forwarding is:
    If IPsec Proto TCP Src. addr * Src. ports * Dest. addr 10.210.x.x/29 Dest. ports 21 NAT IP 192.168.0.x NAT ports 21



  • NAT before IPsec was implemented in 2.1: http://blog.pfsense.org/?p=712

    As far as I know, it never worked before (I haven't tested on 2.1, but it's supposed to work)



  • thank you, I do some testing with the 2.1 and I'll know.


Log in to reply