@ethan-103 You can do this with BINAT for sure, but this requires a policy-based tunnel. With VTI you can configure a NAT 1:1 to achieve this. For example 10.0.20.0/24 would nat to site A 172.16.5.0/24 ( 10.0.20.100 = 172.16.5.100) For this example you have to add a NAT 1:1 rule to the VTI interface at A, where the "External subnet IP" is 10.0.20.0 and the "Internal IP" is type Network > 172.16.5.0/24.

Update: Wifi calling seems to work with no outbound nat rules other than the default enabled, however I can only get it to actually use it when I put the phone in a faraday cage that blocks cell, or airplane mode. I don't know if this is something specific with my carrier, or my Pixel 8 pro software. I did test with and s21 and it didn't use it until I did the airplane mode and enable wifi thing. Not sure if it is preferring LTE instead of wifi because of how strong our LTE is in our area, or if this is a cause of a misconfigured fire wall. Still having a bit of a head scratcher at this one, especially because I went into settings and told it to prefer wifi over LTE, but who knows.

@Dimitriy46 the P2 needs to exist on both ends, and you may have that. I would also try to include the entire /24 in a single P2 and see what happens. I have a connection with an ASA where they have multiple P2 for the same subnet, but I just have a /24 and it figures it out.

@Bot That's nothing that could be effected by pfSense or the VPN. It might rather be that the destination server is blocking access from outside of the local subnet.

@user1089082098 If u can, send me a message and we see if we can help u.

Confirmed this is fixed in 23.09.1-RELEASE

As a follow-up, here is how I got it working. I am using OpenLDAP and FreeRADIUS on FreeBSD 14. I'm not documenting here how to get LDAP authentication working with FreeRADIUS, I'm presuming that is already done. Additionally, my LDAP schema has all users under the name ou=people, ou=domain, ou=com and groups in ou=groups, ou=domain, ou=com I do not have memberof enabled. I'm using MSCHAPv2 authentication in pfsense's RADIUS configuration. In /usr/local/etc/raddb/mods-enabled/ldap use these settings in the "group" section base_dn = "${..base_dn}" filter = '(objectClass=posixGroup)' scope = 'sub' name_attribute = cn membership_filter = "(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})" cacheable_name = 'yes' In /usr/local/etc/raddb/sites-available/default add this in the "post-auth" section update reply { Class += "%{exec:/bin/sh /usr/local/etc/raddb/ldap_fix.sh %{control:LDAP-Group[*]}}" } The exec module is used. Ensure that in /usr/local/etc/raddb/mods-available/exec, "wait" is set to "yes" wait = yes Finally, I used tr to convert the comma-delimited list of groups in "%{control:LDAP-Group[*]}" to semi-colon delimited. The file /usr/local/etc/raddb/ldap_fix.sh looks like this #!/bin/sh # # turn comma-delimited list of groups into semi-colon delimited list of groups # echo "${1}" | tr "," ";" Using the pfsense authentication tester (Diagnostics > Authentication ) I can now see the list of groups users are a member of. Note that the groups need to also be present in pfsense (System > User Manager).

Confirmed this is fixed in 23.09.1-RELEASE

@keyser let me start by saying that I appreciate the time you're putting into this. Right now, it's just a matter of curiosity but it bugs me to the core as I don't know why it needs MSS clamping all of the sudden. Now, I've ran the test and captured the packets (see the attached pcap files) but I am unable to determine why it's working / not working. I've included two pcaps, one with the non-working HTTPS connection, one with the working one. From my point of view (I'm sure I'm missing something), it doesn't look like an issue. I don't know why all the retransmissions in the non-working but as I said, I'm probably missing something. P.S. 10.41.199.205 is the HTTPS server, 172.31.254.251 is the client. Thank you. working.pcap non-working.pcap

SNAT and DNAT is all you need here. Either site won’t know the real IP but that’s ok obviously you will keep track but that’s all that’s needed here to get around the overlap

Some update on this: on the A side there are attached other networks over OVPN still in shared key mode... So from site B i can reach ALL(!) other networks fine independed of the gateway i use... Only the local attached networks of site A have problem from side B if i go through the second wan line.. Does anyone has any idea on how to trace the problem?