NAT port forward over VPN
-
Hey guys!
I'm trying to forward a port from one pfsense setup to a server on the LAN of another pfsense setup, over a VPN that the two are linked by. I've been following this thread but haven't had much success: https://forum.pfsense.org/index.php?topic=57970.0
The two sites:
Far side: (vpn server)
Public 1.2.3.4
VPN address: 192.168.230.1Near side: (vpn client, and where the destination server is)
Public 5.6.7.8
VPN address: 192.168.230.2
LAN: 192.168.1.0/24The port in question is port 222, so the idea is that any tcp connection made to 1.2.3.4:222 eventually gets routed to 192.168.1.200:222, a server on the "Near side".
I'm able to do this while SSHed into the "Far side" already:
[2.1.3-RELEASE][admin@myserver.com]/root(26): telnet 192.168.230.2 222 Trying 192.168.230.2... Connected to 192.168.230.2. Escape character is '^]'.
So the "Far side" is able to reach the "Near side" over vpn, and the "Near side"'s vpn address is already NATed and port forwarding port 222 to its destination. This is good (?).
However, when I add a NAT rule and use 192.168.230.2 as the destination, it doesn't work. I've been trying many different firewall rules in addition to what's added just for the NAT, but I can't get it to work. What needs to be done?
I'm not sure how useful this is, but these are the lines relating to port 222 in /tmp/rules.debug:
rdr on ovpns1 proto tcp from any to any port 222 -> 192.168.230.2 pass in quick on $VPN_HOME $GWVPNGW inet proto tcp from any to 192.168.230.2 port 222 flags S/SA keep state label "USER_RULE: Port forward over vpn test ```" $VPN_HOME is the name of the interface that this vpn connection is assigned to (as the thread linked above suggested setting up). Any ideas would be very appreciated :)
-
Look at the diagram in my sig. So you want to have connections into pfSense A 172.27.0.5 port forwarded to Host B1?
I know the OpenVPN instance on pfSense B will need an assigned interface or reply-to will be broken. And rules on pfSense B's OpenVPN tab cannot match the inbound traffic or reply-to will be broken. Other than that, you just have to make sure the firewall rules on pfSense B's OVPNC1 pass traffic from any (or at least the hosts hitting the port forward) to 172.26.2.100.
https://forum.pfsense.org/index.php?topic=82732.msg453269#msg453269
-