Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT addressing problem

    Scheduled Pinned Locked Moved
    IPsec
    2
    4
    478
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      DrydenK 0
      last edited by

      Hi,

      I'm trying to set a VPN server for my contingency/backup link. When my primary link fails, I have a 30Mbps link that has one IP address. In my normal link, I have a class C network (/24 public addresses) where I don`t use NAT. When I activate the backup link, I want to enable my users to access my network through pfSense. pfSense is already the router for this link.

      I`ve set ipSec using the instructions on https://docs.netgate.com/pfsense/en/latest/recipes/ipsec-mobile-ikev2-eap-mschapv2.html. Then I made small changes to allow Radius authentication (EAP-Radius). The network setup became something like this:

      public IP
      ................
      |
      pfsense
      |
      ...............
      internal network with valid IP's, but behind pfsense/NAT

      The setup is mostly working. When a user connects, it manages to navigate to external sites, but internal navigation does not work. What I found is that packets to the LAN are going out with the network set in "Virtual Address Pool" network set in the "Mobile clients" tab. So, when a VPN connected user tries to access a server in my network, my servers with valid IP's are receiving packets with rfc1918 addresses, and obviously they will not answer that.

      So, in short this is what seems to be happening with the packets coming out of the tunnel:
      to WAN: NAT is translated properly
      to LAN: packets are coming out with RFC1918 address (not disarable).

      How can I tell pfSense that the packets to the LAN should also be translated?

      Thank you,

      Roberto

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Rebel Alliance @DrydenK 0
        last edited by

        @drydenk-0 I think you're looking for outbound NAT.
        Also see here.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        1 Reply Last reply Reply Quote 0
        • D
          DrydenK 0
          last edited by

          Cool. Outbound NAT worked. Well, sorta.

          It gave me some trouble because for some reason it refused to translate ICMP. HTTPS (and RDP) worked fine, but ICMP did not. I tried to add a rule specifying icmp, but still didn't translate it. I tried with both Hybrid and Manual Outbound NAT, both with the same result.

          In any case, it already solved what I needed. I will make some more tests and report if I find something.

          Thank you.

          Roberto

          1 Reply Last reply Reply Quote 0
          • D
            DrydenK 0
            last edited by

            Aaaannnndd it started working, somehow.

            I played a little with "Rekey Time" and " Reauth Time" but didn't get the results I expected, so I disabled them (which is what I had before). But somehow, icmp translation started to work. Now it works but I don't know why..... :-P

            Tks.

            Roberto

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.