Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    NAT and Port forwarding through a GRE tunnel

    NAT
    1
    3
    2428
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      Moondew last edited by

      Good Day, I have working two sites, A and B both with PFsense Routers connected via GRE tunnel over the internet.

      Both sites have OPT1 enabled for the GRE tunnel and a gateway enabled for each.  I have a LAN rule at site A to forward all traffic for email server's IP address to this GRE tunnel gateway.  At site B I have enabled manual NAT and configured it for my Site A IP address.

      I have used any any firewall rules on the OPT interfaces to allow traffic.  The Email server has access to the internet using the NAT IP address of Site B's WAN, rather than Site A, which is the part that works.

      My issue is setting up a port forward on Site B's WAN address to my email server at site A.

      WAN TCP * * WAN address 25 (SMTP) 10.11.11.27 25 (SMTP)

      I have performed packet capture using the WAN, LAN and GRE interface at Site A.  I see the SYN packet come in via OPT from site B, SYN to the LAN, The SYN ACK on the LAN back from the server.  The Syn Ack then seems to go to the WAN of site A, not back into the GRE tunnel via OPT

      Here is the packet filter output, I believe my timeline and analysis is correct, I think the term might be asymmetrical Routing

      
      Opt (GRE)
      listening on gre0, link-type NULL (BSD loopback), capture size 96 bytes
      19:54:04.896089 IP 82.x.x.x.11834 > 10.11.11.27.smtp: Flags [s], seq 4261982946, win 14600, options [mss 1432,sackOK,TS val 4685246 ecr 0,nop,wscale 7], length 0
      
       LAN
      listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes
      19:54:04.896313 IP 82.x.x.x.11834 > 10.11.11.27.smtp: Flags [s], seq 4261982946, win 14600, options [mss 1432,sackOK,TS val 4685246 ecr 0,nop,wscale 7], length 0
      19:54:04.897851 IP 10.11.11.27.smtp > 82.x.x.x.11834: Flags [S.], seq 1524547, ack 4261982947, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 3371879 ecr 4685246], length 0
      
      WAN
      listening on em1, link-type EN10MB (Ethernet), capture size 96 bytes 
      19:54:04.897898 IP 10.11.11.27.smtp > 82.x.x.x.11834: Flags [S.], seq 1524547, ack 4261982947, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 3371879 ecr 4685246], length 0
      
      From my internet research I have tried creating a floating rule, selecting the opt interface, allow any any traffic, and changing the state from "keep" to "none"  This was also with changing the OPT1 interface any any rule to "none" keep state
      
      This has not worked, I am at a loss.  Please could a kind soul assist ?
      
      Kind Regards
      James
      [/s][/s]
      
      1 Reply Last reply Reply Quote 0
      • M
        Moondew last edited by

        I have managed to get this configuration working with Cisco Routers at both ends, however still not with pfSense

        I got the idea from this doc
        https://doc.pfsense.org/index.php/Routing_internet_traffic_through_a_site-to-site_IPsec_tunnel

        This guide also successfully allows me to have a natted address on site B from a host on site A, but not with port forwards.
        I'm using GRE as I think that I read the way pfSense handles IPsec traffic wont ever support port forwards from the internet connection at Site B into a host at site A.

        Does anyone know if the configuration with GRE, where you can port forward from the internet into site B's pfSense firewall, then route it into the tunnel to a host at site A is possible with pfSense ?

        Perhaps the same limitation stop both setups from working, I think it was something about the way pfSense grabs the packet from the kernel ?

        Regards

        1 Reply Last reply Reply Quote 0
        • M
          Moondew last edited by

          My issue is now resolved after doing an in place upgrade to 2.2-RC (i386)
          built on Fri Jan 09 09:52:49 CST 2015 at one end and 2.2-RC (amd64)
          built on Fri Jan 09 09:55:04 CST 2015
          FreeBSD 10.1-RELEASE-p3 at the other

          One GRE tunnel refuses to come up however until I issue the command ifconfig gre0 up
          I saw a bug report for this, which marked this issue as resolved, i might make a new bug report for this.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post