In my career, i have built several vpn's through a firewall and nat'ing the public IP to a private IP address. However, I have only done this on Cisco equipment, that is mainly what i work on all the time. It would be a static IP nat if you have a second public IP address. If you do not, you will have to do a static port nat sharing your outside public IP address that you get from your provider. Which it sounds like you are on the right track. Pfsense should be able to do that, but it has been quite sometime sense i have messed with Pfsense. Putting it in the DMZ is very wise.
Also, a lot of firewalls have a geolocation block function. It appears PFsense has this as well if you add in the PfBlocker package. In several scenario's, a lot of people don't need to communicate with specific countries, therefore, what i have done over the years is block to and from traffic to certain countries, like in your instance Russia. You could do it by public IP blocks, but the administrative overhead with doing this is a nightmare. So, geolocation block, you just select the country and the firewall does the rest, just for another added layer of protection.
Take care, Tony
On Fri, Jan 5, 2018 at 6:36 PM, Tom Cardinal ki4szj@gmail.com wrote:
Greetings, I was working with Dan Cooper last spring to turn my pfSense box into an ampr gateway. At the time I was trying to learn how IPIP worked AND how BSD (pfSense) worked. I'm pretty well versed in linux... BSD... not so much.
At the time I moved to Linux and Lynwood helped me get my head around how the IPIP tunneling works. After seeing the volume of traffic that tries to crack into my residential ISP connection (even though it fails) I've decided to put my ampr gateway into a DMZ. I'm currently in the process of moving my AMPR gateway into a pfSense DMZ.
I work in a loosely security related position at work and I'm doing this as a security measure to knock down some of the noise my Linux gateway/Router/Firewall/AMPRgateway was seeing, mostly from Russia, China and other places that I didn't research. My new AMPR gateway will still be on Linux, actually Raspbian on a Raspberry Pi, but the only traffic it'll ever see is encapsulated traffic and traffic from my network because all of the other noise will be filtered by the pfSense box and won't exist in my DMZ.
Out of the box the pfSense user interface doesn't have support for ipencap or AX25. I did a little bit of research (google) and found an older post on the pfsense forum about which files to edit to add ipencap and ax25 to the UI. Also, I just asked on the pfSense subreddit to see if there are any other places within the pfSense UI to edit which protocols are available for use.
Is anyone else using this method to NAT forward IPIP traffic to an internal gateway (in my case using pfSense). I'm looking to find out if I've missed anything with the port forwarding before I move forward. I know Brian (N1URO) was working with IPIP tunneling behind a NAT and I think (THINK) this might work.
So... here's what I've done.
pfSense version is 2.4.2p1. File edits follow...
In file: /usr/local/www/firewall_nat_edit.php
On line 708, change: $protocols = "TCP UDP TCP/UDP ICMP ESP AH GRE IPV6 IGMP PIM OSPF";
To: $protocols = "TCP UDP TCP/UDP ICMP ESP AH GRE IPV6 IGMP PIM OSPF IPENCAP AX25";
In file: /usr/local/www/firewall_nat_out_edit.php
On line 510, change: $protocols = "any TCP UDP TCP/UDP ICMP ESP AH GRE IPV6 IGMP carp pfsync";
To: $protocols = "any TCP UDP TCP/UDP ICMP ESP AH GRE IPV6 IGMP carp pfsync IPENCAP AX25";
In file: /usr/local/www/firewall_rules_edit.php
Insert as line 1315 and 1316: 'ipencap' => 'IPENCAP', 'ax25' => 'AX25',
-- Tom / n2xu / MSgt USAF (Ret) / BSCS, CASP _________________________________________ 44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net