Question

Hi, we've created an IPsec tunnel from our office to a RUT955 (RUT9_R_00.07.03.1). The connection works but on the RUT955 side we have a device connected with IP 195.0.0.2 (Note: we can't set default gateway on this device) and the RUT955's LAN subnet on 10.255.1.0/24. We are limited with these IP adresses and can't change them.

What is the easiest way to reach 195.0.0.2 via IPsec?

Do I need to create a VLAN (195.0.0.1/24) on the RUT955?

And do I need to add SNAT rule since we can't set the default gateway on the device.

I've attached a picture of the topology.

Thanks in advance!

Answer 1

Hi,

If you dont want to change IP addresses, you can try configuring port-based VLANS. Assign a VLAN on the port that connects to your device. Assign an interface to that VLAN and give it an IP address of the same network. VLAN information: Here, here and here.

However, when your device receives traffic from other networks, it does not know where to send the packets. Usually, the devices use a default gateway, but in your case this option is unavailable. The only address your device is aware of, is the address of the interface it is directly connected to. The SNAT on RUT950 would allow you change the source address of the packets to one of the RUT950 interface's (The IP address of the interface directly connected to your device). You can find more information about SNAT here.

The other end of the IPSec tunnel also needs to be aware of the new VLAN network, so you will need to add that network to your IPSec configuration as well. Unless IPSec tunnel is a default route.

I have not tested this scenario myself. Please, if you have any problems, let me know more about your case and I will try to test it. A more detailed topology and a troubleshoot file would be great.

Kind Regards,

Andzej

Comments

Hi, thanks for the pointers. I've set this up with 2 VLANs and then port forwarded from VLAN1 to VLAN2.I am now able to SSH and FTP the devices in VLAN2. Although I needed to add "echo "net.netfilter.nf_conntrack_helper=1" >> /etc/sysctl.d/11-nf-conntrack.conf" for FTP, what does this command do? And can it be enabled in the webui or only in CLI? 

I've port forwarded 10.255.1.2 > 195.0.0.45 and 10.255.1.3 > 195.0.0.25. So the 195.0.0.25 device doesn't have default gateway but it seems like I'm still able to transfer files from it using FTP. 

The only problem I have left is that I'm only able to ping from RUT955 to 195.0.0.45 and 195.0.0.25. I can also ping RUT955 (10.255.1.1) and FTP to 10.255.1.2 and 10.255.1.3 from IPSec side (10.9.0.0/22) but can't ping 10.255.1.2 and 10.255.1.3. Do I need additional traffic rules? 

I've added a troubleshoot file and uploaded a more detailed topology. 

BR

---

Hi,

The conntrack helpers are used to track connections, essentially helping protocols that utilize multiple connection flows to operate with the Firewall (for example, FTP). The connections are tracked by a kernel module and are handled by the Firewall. You can read more about Conntrack helpers in general here. An 'automatic helper assignment' function exists in the WebUI (Network -> Firewall -> General settings). You can try enabling this option via WebUI and see if it works for you. Usually, it is recommended to keep this option turned on in the WebUI. If it does not work for you, you can use the command you provided.

Regarding the pings. Have you configured the ICMP port forwarding used by ping? It seems that TCP and UDP port forwarding is working. 

Kind Regards,

Andzej

---

Hi, I noticed that I've forgotten to change protocol from "TCP+UDP" to "All" in the port forwardings.

Thanks for the help, everything works as it should now!

BR