Options

SIP SNAT multiple sites and default routes

Seb77Seb77
in Firebox - Networking, Multi-Wan, VLAN, NAT, SD-WAN

Hi,

We have 3 sites interconnected with bovpn virtual interfaces. Each site has is own internet connection.

I would like to use the internet connection on site A (SNAT) to access a server on site B without modifying the ip source (SIP connection). Is that possible ?

Thanks for your help

Sébastien

Comments

  • Options
    Bruce_BriggsBruce_Briggs

    Not for a device which has a private IP address.

  • Options
    Seb77Seb77

    Hi Bruce,

    Thanks for your answer.

    I'don't understand, can you explain ?

  • Options
    Bruce_BriggsBruce_Briggs

    Not changing the source P addr means that a device with a private IP addr sends a packet out to the Internet, and the packet has a private IP addr as the source.
    The reply packet can't come back to the sending NAT device (WG firewall in this case), and thus to the originating device.
    So it just won't work.

  • Options
    Seb77Seb77

    Thanks for the answer.

    I realize that my explanation was not clear.

    That's a bit the opposite I want to achieve.

    I would like to acces one of our server on site B from outside, and using as entry point the internet connection of site A.

    I created SNAT on WG site A (public IP site A -> server site B ip address), the packet is correctly routed to server on site B (bovpn) but the packet is not coming back through the same route but go out to the internet following the default route on WG site B.
    I would like that the answer from the server go out to the internet on WG site A.

    It's working if in the SNAT created on site A I change the source IP address to a private ip adress of site A. But I don't want to change the source IP address because that break the SIP connection.

  • Options
    Bruce_BriggsBruce_Briggs
    edited June 2021

    That answer is also no, and is also because or the routing of the reply packet.
    Without changing the source IP addr of the packet seen by Server B from site A, the reply packet would go out site B's Internet interface, not back via the BOVPN.

    Edited - correction:
    The receiving end, in this case site A's firewall would see the source IP addr be site B's Internet interface public IP addr and would be dropped by the site A firewall as it would not match any session.

Sign In to comment.