Business Community > All Threads > Port Adress Translation through VPN ?
< All Threads

Port Adress Translation through VPN ?

Port Adress Translation through VPN ?

Port Adress Translation through VPN ?
Port Adress Translation through VPN ?
a week ago - last edited a week ago

Hello,

 

Historically, we use NAT port translations to redirect RDP to specific systems.

For example : WANIP:3400 gets forwarded to LANSERVERIP:3389

 

Now we switched to Omada and have ported these rules. It's working.

But we've also setup SSL VPN on mobile computers and S2S VPN IPSec tunnels between branches and HQ.

 

Our goal now is to be able to connect from SSL VPN or S2S VPN to WANIP:3400.

This way, we avoid resetting hundreds of RDP shortcuts with local IPs, and we keep the possibility to whitelist IP within the NAT rule to allow exceptionnal external access in case of S2S/VPN troubles (i.e. : router crash, 4G backup, ...).

 

The issues we observe :

- S2S : the traffic to HQ WANIP:3400 hits the IP restriction with the branch WANIP (I could whitelist it but I'd prefer for traffic to go by the S2S tunnel).

- VPN SSL (with a VPN SSL ressource declared as WANIP port 3400 to 3400) : the traffic is not redirected to the LANIP:3389 (as the RDP connection doesn't start, telnet didn't work either).

 

I know it's tricky ; maybe even theorically stupid... but is it possible ? Or alternative ideas ?

 

Thanks for your help.

  0      
 
  0      
 
#1
Options
1 Accepted Solution
Re:Port Adress Translation through VPN ?-Solution
a week ago - last edited a week ago

Hi @Dipsy 

Thanks for posting in our business forum.

No. We do not support such a function.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced. ● I don't provide ETA for any products/features. No comment.
Recommended Solution
  0  
  0  
#6
Options
5 Reply
Re:Port Adress Translation through VPN ?
a week ago - last edited a week ago

Writing this down, I'm thinking "should I add the WANIP to the rule source IP restrictions ?". I'm gonna try this tonight when users are out (as sadly nat rule update keep shutting down the network for a few minutes).

 

EDIT : nope, more likely needed to whitelist the IP range of the VPN clients.

  0  
  0  
#2
Options
Re:Port Adress Translation through VPN ?
a week ago - last edited a week ago

  @Dipsy 

 

It is not possible to do any port redirect ip vpn tunnel, I have never tested what you are going to do but it is possible you can do it via DNS, I quickly tested with SRV Record on DNS but didn't get it to work. So you probably have to have 2 rdp connections, one for 3400 and one for 3389. If you find an answer to the problem then let me know. It is definitely worth knowing.

 

 

  0  
  0  
#3
Options
Re:Port Adress Translation through VPN ?
a week ago - last edited a week ago

I made it work within SSL VPN (OpenVPN) by :

- Allowing my subnets (10.0.0.0/8, with VPN users on 10.0.252.X) in the NAT rules

- Added as a VPN SSL resource the subnet used by my ports forwarding

- Added as a VPN SSL resource the WANIP

 

I've had troubles with VPN SSL resources too specifics (WANIP but only on 3389 TCP/UDP, machines IPs instead of the whole subnet, etc...), but now it's stable and I can see the corresponding traffic in reports.

Tho it means that I can't really restrict the permissions with the VPN SSL resources management (within my subnet), but it's not a major issue for now. I'll advise later on that.

 

For my IPsec tunnel, I believe NATed traffic keeps flowing out of the tunnel (pure WAN) ; but it's ok for now as I can maintain the whitelisted IPs. IP whitelist is a suffisant protection for now, and that traffic won't be overloading the VPN capacity too soon (worried about that).

  0  
  0  
#4
Options
Re:Port Adress Translation through VPN ?
a week ago - last edited a week ago

Hi  @Dipsy 

 

The issue you're discussing is unrelated to WiFi, so I’ve moved your thread to the Router section for more targeted assistance.

 

This will help experts address your query more effectively. Thanks.

Wish you a happy life and smooth network usage!  >Get the Latest Omada SDN Controller Releases Here< >Experience the Latest Omada EAP Firmware<
  1  
  1  
#5
Options
Re:Port Adress Translation through VPN ?-Solution
a week ago - last edited a week ago

Hi @Dipsy 

Thanks for posting in our business forum.

No. We do not support such a function.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced. ● I don't provide ETA for any products/features. No comment.
Recommended Solution
  0  
  0  
#6
Options

Information

Helpful: 0

Views: 109

Replies: 5

About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.