Remote Office IPSEC with NAT



  • Hi There, (there is a link below to a crudely drawn network diagram),,,

    I followed a couple of the step-by-steps on the pfSense site, and read a lot in the forums, but I’m having one problem still. See the network diagram. First, although I can’t explain why, I cannot make changes to “Router A” at this time. I am trying to setup connectivity for a new remote office at location C. I have created Router B which has one foot in the 192.168.4.0 subnet, and one foot in the public internet with a static IP. The Router A has many subnets attached, all routed with various rules in a reasonably high security environment. Normally the users are in the 192.168.4.0 subnet, but they often traverse to the 10.1.110.0 subnet (there are not ACL’s between the two subnets).

    I have created an IPsec tunnel between Router B and C. Anything attached to the 10.15.16.0 subnet can access anything on the 192.168.4.0 subnet, and the reverse is also true. I have created a static route on Router A to send anything destined for 10.15.16.0 to 192.168.4.88.

    There is a static route on Router B pointing anything destined for 10.1.110.0 to 192.168.4.1. Router B can access stuff on subnet 10.1.110.0, however any device on the 10.1.110.0 subnet cannot even ping Router B’s LAN interface 192.168.4.88.

    Additionally, nothing on the 10.15.16.0 subnet can get to the 10.1.110.0 subnet.

    I need things on the 10.15.16.0 subnet to be able to get to the 10.1.110.0 subnet.

    On Router B, I have three gateways, the Public IP #2 defined as its WANGW, another gateway called “10dotgw” pointing to 192.168.4.1, and a “remoteoff” gateway pointing at 192.168.4.88 (its own LAN interface). Routes (as mentioned) exist for the 10.1.110.0/24 using the 10dotgw and 10.15.16.0/24 using the remoteoff gateway.

    On Router C I have two gateways, the default WAN (DHCP) and “tunnel” pointing to 10.15.16.1 (its own LAN interface). Routes on C are 10.1.110.0/24 using “tunnel” and 192.168.4.0/23 also using “tunnel”.

    I have Manual NAT set on both Router B and C. On Router B I have added an outbound NAT rule for 10.15.16.0/24 using the equivalent of an any/any using the LAN address as the NAT address. On Router C I have the same, but the source is 192.168.4.0/23.

    For firewall rules, I have any/any rules for both the LAN and IPsec, and just for good measure, I created a floating rule equivalent to an any-any.

    What it comes down to is I am obviously missing something, but I can’t figure out why I can ping from Router B to the 10.1.110.0 subnet, but I can’t ping the 192.168.4.88 interface from that 10.1.110.0/24 subnet. I think I need a NAT rule on Router B and maybe a different route, I’m just not sure what it should look like.

    And then secondly, I don’t know how to setup access from the 10.15.16.0/24 subnet to the 10.1.110.0/net, but I suspect if I answer the question above, this might just start working.

    Please let me know if I can provide any more information.

    With regards,

    Tim
    https://skydrive.live.com/?cid=bd4db0abb109cec8&id=BD4DB0ABB109CEC8%212054&v=3&ithint=photo,.gif&authkey=!AJKW27sXcw45Vg8


Log in to reply