Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - swix

Pages: [1]
1
Bonjour, hello,

I have some "Simple" IPv4 tunnels (IKEv1) to customers here, 3 are already running.  Our LAN: 192.168.1.0/24, WAN IP address 80.254.x.y.

Already working tunnels are having a Phase 2 setup similar to:
- Local network: LAN Subnet - NAT/BINAT:  Type Network, Address 192.168.10.0/24
- Remote Network:  Type Network , Address 10.116.0.0/16

I now have to add a new tunnel, but this time and for the first time the Remote Network Address is using public IP ranges.  Current phase 2 setup:
- Local Network:  WAN Subnet - no NAT/BINAT
- Remote Network:  Type Network, Address 159.16x.y.z/30

IPSEC connection status for Phase 1 and Phase 2 are fine, everything works as planed when testing from the router itself (when connected via ssh to the pfsense system, I can ping one remote target IP as 159.16x.y.7).  But the only issue is that I cannot access the target range 159.16x.y.z/30 from our LAN (192.168.1.0/24). 

I tried changing the phase 2 settings, but with anything else the tunnel will not work.    And if I set "LAN subnet" as NAT/BINAT network, it seems to be ignored and will not be saved.
I also thought about adding a static route, but it's not possible to select a tunnel as a gateway.
So how could I route these packets to 159.16x.y.z/30 over the tunnel instead as directly over our gateway ? 

Any hint would be very welcome as I am not very experienced with ipsec topics.  Merci & kind regards, Olivier

2
I have a pfsense 2.1 setup (apu pcengines.ch board) with openvpn installed mainly according to http://www.packetwatch.net/documents/guides/2012050801.php, working as expected.
WAN access occurs over DSL, single static IP address (80.254.y.z)
LAN network  is 192.168.1.0/24, internal LAN IP address of the pfsense router is 192.168.1.100
OpenVPN network 192.168.42.0/24.   "Force all client generated traffic through the tunnel." active on both server and client, attributed IP here 192.168.42.6.
OpenVPN Client terminal over cable network, with dynamic IP address 194.x.y.z. 

http://WAN_IP and https://WAN_IP accesses from any external IP are served via NAT by a server running internally under the IP 192.168.1.151.
I have a test page under http://192.168.1.151/ip.php which simply returns the value of $_SERVER["REMOTE_HOST"].

My issue is the fifth line:
  • when accessing http://192.168.1.151/ip.php  from the LAN, it returns the IP of the client (another 192.168.1.0/24 address) : ok
  • when accessing http://WAN_IP/ip.php  from outside (internet), it returns the real IP of the client : ok
  • when accessing http://WAN_IP/ip.php  from the LAN, it returns  192.168.1.100  (the IP of the router) :  still ok  (even if getting the real LAN IP address would be nice)
  • when accessing http://192.168.1.151/ip.php after activating the VPN client, the page returns 192.168.42.6 from VPN range : ok
  • BUT when accessing http://WAN_IP/ip.php with active VPN, the page returns the real IP address of the client (194.x.y.z), and not 192.168.42.x as I would expect.

I tried to "fix" this by following https://forum.pfsense.org/index.php/topic,65793.msg359377.html  ("OpenVPN to IP Alias, NAT reflection not working")  or  https://forum.pfsense.org/index.php?topic=43507.0 ("OpenVpn and NAT for same subnet"), but I failed until now, even if I guess it might be the right direction. What do you think ?

Any other suggestion would be more than welcome :)   Many thanks in advance & regards.

Pages: [1]