NAT and Port forwarding through a GRE tunnel



  • Good Day, I have working two sites, A and B both with PFsense Routers connected via GRE tunnel over the internet.

    Both sites have OPT1 enabled for the GRE tunnel and a gateway enabled for each.  I have a LAN rule at site A to forward all traffic for email server's IP address to this GRE tunnel gateway.  At site B I have enabled manual NAT and configured it for my Site A IP address.

    I have used any any firewall rules on the OPT interfaces to allow traffic.  The Email server has access to the internet using the NAT IP address of Site B's WAN, rather than Site A, which is the part that works.

    My issue is setting up a port forward on Site B's WAN address to my email server at site A.

    WAN TCP * * WAN address 25 (SMTP) 10.11.11.27 25 (SMTP)

    I have performed packet capture using the WAN, LAN and GRE interface at Site A.  I see the SYN packet come in via OPT from site B, SYN to the LAN, The SYN ACK on the LAN back from the server.  The Syn Ack then seems to go to the WAN of site A, not back into the GRE tunnel via OPT

    Here is the packet filter output, I believe my timeline and analysis is correct, I think the term might be asymmetrical Routing

    
    Opt (GRE)
    listening on gre0, link-type NULL (BSD loopback), capture size 96 bytes
    19:54:04.896089 IP 82.x.x.x.11834 > 10.11.11.27.smtp: Flags [s], seq 4261982946, win 14600, options [mss 1432,sackOK,TS val 4685246 ecr 0,nop,wscale 7], length 0
    
     LAN
    listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes
    19:54:04.896313 IP 82.x.x.x.11834 > 10.11.11.27.smtp: Flags [s], seq 4261982946, win 14600, options [mss 1432,sackOK,TS val 4685246 ecr 0,nop,wscale 7], length 0
    19:54:04.897851 IP 10.11.11.27.smtp > 82.x.x.x.11834: Flags [S.], seq 1524547, ack 4261982947, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 3371879 ecr 4685246], length 0
    
    WAN
    listening on em1, link-type EN10MB (Ethernet), capture size 96 bytes 
    19:54:04.897898 IP 10.11.11.27.smtp > 82.x.x.x.11834: Flags [S.], seq 1524547, ack 4261982947, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 3371879 ecr 4685246], length 0
    
    From my internet research I have tried creating a floating rule, selecting the opt interface, allow any any traffic, and changing the state from "keep" to "none"  This was also with changing the OPT1 interface any any rule to "none" keep state
    
    This has not worked, I am at a loss.  Please could a kind soul assist ?
    
    Kind Regards
    James
    [/s][/s]
    


  • I have managed to get this configuration working with Cisco Routers at both ends, however still not with pfSense

    I got the idea from this doc
    https://doc.pfsense.org/index.php/Routing_internet_traffic_through_a_site-to-site_IPsec_tunnel

    This guide also successfully allows me to have a natted address on site B from a host on site A, but not with port forwards.
    I'm using GRE as I think that I read the way pfSense handles IPsec traffic wont ever support port forwards from the internet connection at Site B into a host at site A.

    Does anyone know if the configuration with GRE, where you can port forward from the internet into site B's pfSense firewall, then route it into the tunnel to a host at site A is possible with pfSense ?

    Perhaps the same limitation stop both setups from working, I think it was something about the way pfSense grabs the packet from the kernel ?

    Regards



  • My issue is now resolved after doing an in place upgrade to 2.2-RC (i386)
    built on Fri Jan 09 09:52:49 CST 2015 at one end and 2.2-RC (amd64)
    built on Fri Jan 09 09:55:04 CST 2015
    FreeBSD 10.1-RELEASE-p3 at the other

    One GRE tunnel refuses to come up however until I issue the command ifconfig gre0 up
    I saw a bug report for this, which marked this issue as resolved, i might make a new bug report for this.


Log in to reply