Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Remapping a network over an OpenVPN connection

    Scheduled Pinned Locked Moved
    NAT
    4
    6
    507
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      keylevel
      last edited by

      I have two sites that clients need to be able to access at the same time using OpenVPN. Unfortunately, both VPNs use the 10.0.0.0/24 network for their tunnels, and the systems on each site both use 192.168.1.0/24. It is easy enough to reconfigure one of the sites to use a different tunnel, but it is not feasible to move either of the sites from 192.168.1.0/24.

      I would like to be able to come up with a configuration that would allow the clients to use 192.168.1.0/24 to access the systems on one site, and 192.168.2.0/24 to access the systems on the other. Is it possible to use 1:1 (or some other) NAT to perform a remapping to make this work?

      Chris

      M 1 Reply Last reply Reply Quote 0
      • M
        michmoor LAYER 8 Rebel Alliance @keylevel
        last edited by

        @keylevel achievable. You will need to perform a double NAT. Nat both the source and destination of a packet as it goes out over the tunnel.

        Firewall: NetGate,Palo Alto-VM,Juniper SRX
        Routing: Juniper, Arista, Cisco
        Switching: Juniper, Arista, Cisco
        Wireless: Unifi, Aruba IAP
        JNCIP,CCNP Enterprise

        K 1 Reply Last reply Reply Quote 0
        • K
          keylevel @michmoor
          last edited by

          @michmoor

          Thanks - I should have added that I'm not really familiar with NAT (other than basic port forwarding). Does "double NAT" mean I have to use 1:1 in both directions?

          Chris

          R 1 Reply Last reply Reply Quote 0
          • R
            rcoleman-netgate Netgate @keylevel
            last edited by

            @keylevel It means that you have to translate the following:

            Site 1: 192.168.1.0/24 needs to be translated into 10.0.1.0/24
            Site 2: 192.168.1.0/24 needs to be translated into 10.0.2.0/24

            Site 2 talks to Site 1 via 10.0.1.0/24
            Site 1 talks to Site 2 via 10.0.2.0/24

            Setting up a bi-directional NAT is tricky. Sometimes it's just easier to readdress the network.

            Ryan
            Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
            Requesting firmware for your Netgate device? https://go.netgate.com
            Switching: Mikrotik, Netgear, Extreme
            Wireless: Aruba, Ubiquiti

            1 Reply Last reply Reply Quote 0
            • K
              keylevel
              last edited by

              @rcoleman-netgate

              Thanks, but I've not yet worked out how to set up that sort of translation (still searching for a simple "how-to"). It also looks like I haven't accurately explained what I'm trying to do, as it's not the sites that need to communicate with each other:

              Site 1: 192.168.1.0/24 via VPN tunnel 10.0.1.0/24, VPN local network 192.168.1.0/24
              Site 2: 192.168.1.0/24 via VPN tunnel 10.0.2.0/24, VPN local network 192.168.2.0/24

              Clients need to be able to connect and communicate with both sites at the same time. This is trivial for Site 1, as the VPN local network is the site network, but site 2 needs to map 192.168.2.x onto 192.168.1.x.

              I do agree that re-addressing Site 2 would be easier, but that is not possible in the short term.

              Chris

              V 1 Reply Last reply Reply Quote 0
              • V
                viragomann @keylevel
                last edited by

                @keylevel
                There is nothing you can do on your pfSense at all.
                Even if you do a sort of translation, pfSense would have to route the traffic to 192.168.1.0/24, which it has two gateways for. Hence routing is not possible.

                The address translation hast to occur on one of the remote sites. So pfSense would see another subnet and could route traffic to it properly.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.