Previously I posted about my Site 2 Site VPN connection. It is working perfect now!
Now something changed. The client has a new ISP and has an IPv4 CG-NAT. That’s not a problem per se for the site 2 site connection, as they are the client and I am the server, but they can’t access their network anymore from their own VPN connection.
Now I want to give them acces to my VPN server, so they can tunnel via my network, over the site2site VPN, to theirs.
The problem is that I don’t want them to be able to access my subnets. I only want them to tunnel via my network to theirs.
Well in theory there is by setting up load balancer. I have not personally tried it but you give it a shot. As you know Pfsense has its own load balancer or if you have your own you can use that.
I am hoping that with IPv6 this CG-NAT stuff goes away, there are plenty of IP addresses available under IPv6!
I’m on TMobile ay home now (CG-NAT), but so far my openVPN site to site is working fine and didn’t even glitch with the change. Server side is at work on an internet IP that we “own”.
It gets even more convulated if you want the full pathway:
Public IP, port forward to my firewall which is behind local NAT, home through lab domain which is now CG-NAT. Before TMobile home was under local NAT again through consumer router and Spectrum cable internet.
All that said, isn’t there a setting when creating the site to site about which remote networks are allowed? It has been a bunch of years now and I can’t exactly remember, but I do recall having to type the networks into something. I have two LANs at work that I can reach (real cable separated LANS on the back of my firewall).
