NAT to IP on other site of VPN tunnel
-
Hello,
I have a working IPSec VPN tunnel between two locations and want to forward Port 80 from site A to site B. Diagnostics -> Ping is working for source address: LAN.
I just added a NAT rule but this is not working (time out).
In logfiles on site A I can see that the request passes, so I think the problem is on site B (where the server is).Same works for an internal site A IP address.
Any ideas?
Thanks and best regards,
Thorsten
-
Are you using public IP on site A that you want to forward to server on site B ?
Also, ping (ICMP) will not be accepted if you only forwarded port 80 (http).
-
Site A: Public IP: 1.2.3.4
Site A: Internal Network: 192.168.0.0/24Site B: Public IP: 4.3.2.1
Site B: Internal Network: 192.168.10.0/24I want to NAT Port 80 1.2.3.4 to 192.168.10.10
The tunnel is working.
-
Have you been looking at the trafficflow using tcpdump on site B to see if requests reaches the server and what happens when the server responds ?
Syntax in shell: tcpdump -i LANIF -n host externalclient
Where LANIF should be replaced with whatever interface on pfSense your server is connected to and externalclient replaced by the IP of the client on the internet trying to reach the server.
If you don´t see any responses from server here, then try to change LANIF to what corresponds to your WAN interface and try again.
If so you might have a case of what is called asymetric routing, ie. client on the internet surfs to your public IP on site A, traffic flows over to site B though IPSec and eventually reaches server on site B. The quirk is that server on site B cannot find the client IP in any routingtable except default route and that points out through WAN interface of site B.
In that case you´ll have to rewrite the sourceaddress at site A.