Netgate SG-1000 microFirewall

Author Topic: [SOLVED] LAN-TO-LAN IP NAT: How? For managing remote device ...  (Read 135 times)

0 Members and 1 Guest are viewing this topic.

Offline Babiz

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-1
    • View Profile
[SOLVED] LAN-TO-LAN IP NAT: How? For managing remote device ...
« on: November 01, 2017, 03:06:01 pm »
 :o Hello folks! Here is my "proof of concept" for managing remote devices even if it's refuses to reply to "other" subnet, not same subnet acutally set under LAN setting of device itself.
I noticed this because after setting up my VPN ipsec also I need to manage all my devices on remote site, but some of devices not working, simply dropped my request generated from local admin station live on different subnet. But other device like webcams works well and reply to any IP if give a request.
I guess for a "protection" behavior for improve security but for me is really annoyng.. 8)
So this is a schematic of network structure I have :


Also I write about my IPsec configuration, still working at this time https://forum.pfsense.org/index.php?topic=139214.0

I'm happy to know any advice for doing this with pfSene! Also firewall rules is set to allow ICPM and TCP from any to any in my lan interfaces and IPsec.

My first try: I do simple NAT from IPsec interface translate "admin pc" ip to a virtual ip looks to works only for ICMP packets and after I commit this change I allowed to ping remote modem from admin pc trought this nat rule, but not work for TCP connection.


Also I know openvpn allow to tunnelling directly on specific subnet with proper IP but I'll avoid if possible.

The way maybe is to setup 1:1 NAT with virtual ip but I'm unable to find enough about 1:1 nat concept and my initial try to set up this is failed.

Thanks in advance for any reply!
« Last Edit: November 03, 2017, 07:18:34 am by Babiz »

Offline Babiz

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-1
    • View Profile
I do many trials & errors, finally I solved this problem , basically is simple to setup NAT IP LAN to LAN translation with a few steps!
I described below:


**After setting up IPsec tunnel add many Phase2 you need to reach from local admin to remote station.

On site A

Add P2
Mode "tunnel"
Local Subnet "LAN2"
Remote Subnet "192.168.0.0/24"

Add P2
Mode"tunnel"
Local Subnet "LAN2"
Remote Subnet "192.168.1.0/24"      




On site B
Add P2
Mode "tunnel"   
Local Subnet "LAN1"          
Remote Subnet "192.168.2.0/24"

Add P2
Mode "tunnel"   
Local Subnet "MODEM"   
Remote Subnet "192.168.2.0/24"




Next step is: Add virtual IP on remote station, one for interface you need.

Virtual IP address "192.168.0.99/24"
Interface "MODEM"
Type "IP Alias"
 
Virtual IP address "192.168.1.99/24"
Interface "LAN1"
Type "IP Alias"


I set my virtual IP outside DHCP range.


Thrid step for allow routing between subnets trought virtual IP NAT,
Basically "Auto rule" for Outbound NAT, not translate any IP address so you need to "force" translation for specific host , when it refuses to reply to any request from different subnets.



Well Mappings section will appear and ready to add manual mappings.
Interface "MODEM"   
Source "192.168.2.0./24"   
Source Port "*"   
Destination "192.168.0.0/24"   Destination Port   "*"
NAT Address "192.168.0.99"   NAT Port "*"

Interface "LAN1"   
Source "192.168.2.0./24"   Source Port "*"   
Destination "192.168.1.0/24" Destination Port   "*"
NAT Address "192.168.1.99"   NAT Port "*"
   

I used entire /24 block for define this rule , all work good, now I can reach multiple host under site B. redirected to virtual IP on remote interface side.



Piba-NL from #pfsense IRC channel Adviced me, for eventually you can trim the size of subnet to /32 for improving security if you are only single host to manage. Thanks a lot for your advice mate :D

Last step is checking about firewall rule, you can adjust according to allow traffic you want to pass, in my case I set a basic "Any to Any" rule on all interface (apply default LAN rule is fine)

Well you are done. Now you can "talk" to all devices under remote subnets, even if refuses to reply to other subnets request, by this "trick" traffic is redirected to a virtual IP on interface side, before routed trough VPN IPsec tunnel. Very Nice man.

Hope this micro tutorial is useful for others folks. Goodbye!