NAT and Port forwarding through a GRE tunnel

Moondew · Dec 21, 2014, 9:09 PM

Good Day, I have working two sites, A and B both with PFsense Routers connected via GRE tunnel over the internet.

Both sites have OPT1 enabled for the GRE tunnel and a gateway enabled for each. I have a LAN rule at site A to forward all traffic for email server's IP address to this GRE tunnel gateway. At site B I have enabled manual NAT and configured it for my Site A IP address.

I have used any any firewall rules on the OPT interfaces to allow traffic. The Email server has access to the internet using the NAT IP address of Site B's WAN, rather than Site A, which is the part that works.

My issue is setting up a port forward on Site B's WAN address to my email server at site A.

WAN TCP * * WAN address 25 (SMTP) 10.11.11.27 25 (SMTP)

I have performed packet capture using the WAN, LAN and GRE interface at Site A. I see the SYN packet come in via OPT from site B, SYN to the LAN, The SYN ACK on the LAN back from the server. The Syn Ack then seems to go to the WAN of site A, not back into the GRE tunnel via OPT

Here is the packet filter output, I believe my timeline and analysis is correct, I think the term might be asymmetrical Routing


Opt (GRE)
listening on gre0, link-type NULL (BSD loopback), capture size 96 bytes
19:54:04.896089 IP 82.x.x.x.11834 > 10.11.11.27.smtp: Flags [s], seq 4261982946, win 14600, options [mss 1432,sackOK,TS val 4685246 ecr 0,nop,wscale 7], length 0

 LAN
listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes
19:54:04.896313 IP 82.x.x.x.11834 > 10.11.11.27.smtp: Flags [s], seq 4261982946, win 14600, options [mss 1432,sackOK,TS val 4685246 ecr 0,nop,wscale 7], length 0
19:54:04.897851 IP 10.11.11.27.smtp > 82.x.x.x.11834: Flags [S.], seq 1524547, ack 4261982947, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 3371879 ecr 4685246], length 0

WAN
listening on em1, link-type EN10MB (Ethernet), capture size 96 bytes 
19:54:04.897898 IP 10.11.11.27.smtp > 82.x.x.x.11834: Flags [S.], seq 1524547, ack 4261982947, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 3371879 ecr 4685246], length 0

From my internet research I have tried creating a floating rule, selecting the opt interface, allow any any traffic, and changing the state from "keep" to "none"  This was also with changing the OPT1 interface any any rule to "none" keep state

This has not worked, I am at a loss.  Please could a kind soul assist ?

Kind Regards
James
[/s][/s]

Moondew · Jan 9, 2015, 4:36 PM

I have managed to get this configuration working with Cisco Routers at both ends, however still not with pfSense

I got the idea from this doc
https://doc.pfsense.org/index.php/Routing_internet_traffic_through_a_site-to-site_IPsec_tunnel

This guide also successfully allows me to have a natted address on site B from a host on site A, but not with port forwards.
I'm using GRE as I think that I read the way pfSense handles IPsec traffic wont ever support port forwards from the internet connection at Site B into a host at site A.

Does anyone know if the configuration with GRE, where you can port forward from the internet into site B's pfSense firewall, then route it into the tunnel to a host at site A is possible with pfSense ?

Perhaps the same limitation stop both setups from working, I think it was something about the way pfSense grabs the packet from the kernel ?

Regards

Moondew · Jan 10, 2015, 1:28 AM

My issue is now resolved after doing an in place upgrade to 2.2-RC (i386)
built on Fri Jan 09 09:52:49 CST 2015 at one end and 2.2-RC (amd64)
built on Fri Jan 09 09:55:04 CST 2015
FreeBSD 10.1-RELEASE-p3 at the other

One GRE tunnel refuses to come up however until I issue the command ifconfig gre0 up
I saw a bug report for this, which marked this issue as resolved, i might make a new bug report for this.