Hi, I think the IP in the NAT rule should be the IP of the Firewall of Site B. You can make a rule in the accesslist to deny the ip 192.168.10.197 to use internet from Site B.
Kind Regards Klaus Nadine Schlüter <[email protected]> schrieb: >Hi, > >the network at site A is 192.168.10.0/24. H is 192.168.10.197. > >Site B's network is 192.168.0.0/24. > >The tunnel (TUN1) between the two is > ><Site A> <-10.0.9.2--- tunnel ---10.0.9.1-> <Site B> > >The NAT rule (first in my NAT list) is: > >Interface: TUN1 >Protocol: any >Source: Network 192.168.10.197/32 > Port <empty> >Destination: <all empty> >Translation: Interface address (so the IP should be 10.0.9.2) > Port: <empty> > >Looks like this in the list (top two entries) > >Interface: TUN1 >Source: 192.168.10.197/32 >Source Port: * >Destination: * >Destination Port * >NAT Address: * >NAT Port * >Static Port No >Description Translate smack's traffic to TUN1 IP > > >Interface: WAN >Source: 192.168.10.0/24 >Source Port: * >Destination: * >Destination Port * >NAT Address: * >NAT Port * >Static Port No >Description Translate 192.168.10.x to WAN IP > >To me it seems the new (first rule) is completely ignored and rule 2 is used. > >Cheers, >Nadine > >-------- Original-Nachricht -------- >> Datum: Fri, 6 Apr 2012 17:58:49 +0200 >> Von: Klaus Wunder <[email protected]> >> An: pfSense support and discussion <[email protected]> >> Betreff: Re: [pfSense] Several sites: How to route Internet-bound traffic of >> a host at site A through site B > >> Hi, >> >> what is you translation address in the NAT rule? The Interface Address of >> Firewall B? >> Have you disabled Automatic NAT rule generation? >> >> Kind Regards >> >> Klaus Wunder >> >> >> Von meinem iPhone gesendet >> >> Am 06.04.2012 um 17:30 schrieb "Nadine Schlüter" >> <[email protected]>: >> >> > Hi, >> > >> > I'm running several pfSense ALIX Boxes at different locations. Each box >> > has a direct Internet connection (WAN) and runs OpenVPN Tunnels to other >> > sites. Works all fine. >> > >> > Now I want to route all Internet-bound traffic of one (and only one!) >> > host H from site A through site B's pfSense box to the Internet. Is >> > there a way to do this? >> > >> > I tried setting up a special outbound NAT rule for H at site A's >> > pfSense box, which essentially is <H's IP>/32 -> <Tunnel to site B >> > Interface IP>. But this did not have any effect. >> > >> > Of course there is another NAT rule already in place that translates >> > anything from site A's private network to the local WAN address. >> > However, I put the special NAT rule for H as the first in the NAT rule >> > list, hoping that it matches first and will therefore be preferred. >> > However, if I traceroute from H to a machine outside (say 8.8.8.8) I can >> > still see the traffic going out through site A's WAN interface - never >> > getting into any tunnel. >> > >> > The tricky bit is that host H's traffic is for the Internet. I can >> > reach hosts at other sites without problems (static routes and tunnel >> > NATs is place). >> > >> > Has anyone here done this before? I would greatly appreciate some >> > advice on this... >> > >> > Cheers, >> > Nadine >> > -- >> > NEU: FreePhone 3-fach-Flat mit kostenlosem Smartphone! >> >> > Jetzt informieren: http://mobile.1und1.de/?ac=OM.PW.PW003K20328T7073a >> > _______________________________________________ >> > List mailing list >> > [email protected] >> > http://lists.pfsense.org/mailman/listinfo/list >> >> _______________________________________________ >> List mailing list >> [email protected] >> http://lists.pfsense.org/mailman/listinfo/list > >-- >Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir >belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de >_______________________________________________ >List mailing list >[email protected] >http://lists.pfsense.org/mailman/listinfo/list _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
