3

I have a multi-site VPN currently running with pfSense boxes and currently using OpenVPN. However I can change the OS and VPN type if need be.

The main router has a 10.13.0.0/16 subnet and a series of public IPs

For example, a branch has a 10.12.1.0/24 subnet

How can I port forward NAT traffic on a public IP of the main router to a server behind the NAT of the second? So for instance port 95 on a public IP assigned to the main router forwards to 10.12.1.102 on the other router.

Is this even possible? Currently my setup works great but only for intertnal traffic

Charlie
  • 31
  • 1
  • 2

2 Answers2

4

You will use 1:1 NAT to map a public IP to a private IP. Theoretically you can stack multiple layers of 1:1 NAT. For example:

1.1.1.1 ---[1:1 NAT]---> 2.2.2.2 ---[1:1 NAT]---> 3.3.3.3

Or if you only want one port to go behind your two routers, the same is possible with simple port forwarding rules. Example:

1.1.1.1:95 ---[port forward]---> 2.2.2.2:95 ---[port forward]---> 3.3.3.3:95

The pfSense boxes will maintain the session tables and accurately move traffic back and forth through the multiple forwards.

Wesley
  • 32,690
  • 9
  • 82
  • 117
  • So let's say then 1.1.1.1 is the public IP and 3.3.3.3 is the destination private. What is 2.2.2.2? Is that the tunnel IP (in OpenVPN) of one of the sites? – Charlie Dec 15 '12 at 20:50
  • @Charlie Yes. 1.1.1.1 is the theoretical public IP, 3.3.3.3 is the destination, and 2.2.2.2 is whatever intermediary IP you have to go through. In your case, it's the VPN's IP address that faces 1.1.1.1. – Wesley Dec 15 '12 at 21:10
  • Hmm, well now I can see traffic come to 3.3.3.3 and attempt to go back out but it appears to be dying before going out of 2.2.2.2. Do I need some outbound NAT rules to match that? – Charlie Dec 15 '12 at 22:14
  • @Charlie There's no need for any kind of outbound NAT rules, as NAT inherently manages inbound and outbound traffic correlation. I would suspect some kind of routing rule is at play, apart from NAT. – Wesley Dec 15 '12 at 22:36
  • The routes look good from here, but I'm really not sure. What would you recommend I look for? There are no static routes in place. Could it be a problem with pfSense itself? – Charlie Dec 16 '12 at 00:19
1

All you need is to do a port forward from both of your routers

Lets name your router interface for easier explaination

10.12.0.0/16 router : Router-1
    WAN interface: Router-1-ext (this should have a public IP)
    LAN interface: Router-1-int (this should have a 10.13.x.x IP)

10.12.1.0/16 router : Router-2
    WAN/NAT interface: Router-2-ext (this should have a 10.13.x.x IP) * *
    LAN interface: Router-2-int (this should have a 10.12.x.x IP)

Router-1

pf.conf add following port forwarding rule

pass in on <Router-1-ext> proto tcp from any to any port 90 rdr-to <Router-2-ext IP>

Router-2

pf.conf add following port forwarding rule

pass in on <Router-2-ext> proto tcp from any to any port 90 rdr-to 10.12.1.102

Port forwarding the pfsense way (easier)

You can also do it in pfsense interface, official instruction is here.

Idea is the same, Router-1 port forward to Router-2, Router-2 port forward to target server.

PS: If your Router-2 to Router-1 VPN is over internet, the Router-2-ext interface above should refer to the VPN point-to-point interface, NOT the physical WAN interface with a public IP.

John Siu
  • 3,667
  • 2
  • 17
  • 23