to start, I have very little knowledge on routes, iptables, etc. That said, here's what I'm trying to accomplish and where I think I'm stumped:
Problem: We have an external website which we recently firewalled so it only accepts traffic from our office IP addresses. This works well at the office, but doesn't work for remote access through VPN as we don't route all traffic through OpenVPN. I would rather avoid forcing everyone to route all traffic through just to accommodate this one site.
Environment: Main router box is running pfSense. Em0 is internal IP, Em1 is external. Internal net is 10.23.x and VPN is 10.0.8.0/24
I believe what I need to do is add a route to the VPN server config to send all traffic to that IP over the VPN tunnel. I think that part's working, but I don't get a response back, so I'm assuming that I need some NAT config on the VPN server to route the response back over the tunnel?
What I've found so far is to try the following, but since this is a pfSense box on FreeBSD, I can't run iptables, etc.
Make sure ip forwarding is enabled:
echo 1 > /proc/sys/net/ipv4/ip_forward
Setup NAT back out:
iptables -t nat -A POSTROUTING -s 10.0.8.0/24 -o em0 -j MASQUERADE
Am I on the right path, and if so how do I accomplish this through pfSense UI or FreeBSD CLI? Thanks!
Best Answer
Got it! A coworker and I stumbled through onto success (for now).
XXX.XXX.XXX.XXX = IP of the specific site we wanted routed over the VPN
Solution:
Step 3 is optional.