• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

NAT to reach devices in two different LANs with same IP addresses

Scheduled Pinned Locked Moved NAT
7 Posts 3 Posters 543 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    marcelosb
    last edited by Oct 31, 2024, 10:04 PM

    Hello!

    I'm looking for something very similar to IPSec BINAT feature.

    Here is my problem: my Netgate 4100 is connected through LAN1 into the network 192.168.1.0/24, where there are many very important devices whose IPs I cannot change. Now, we want to integrate another network so that we may reach it through VPN. However, this other network is also 192.168.1.0/24. And it is very difficult to change all the IPs of this second network.

    So, I thought maybe there is some way of mapping the IPs of this new network to something else. For example, I could connect the new network in the LAN2 port. Then, through some form of NAT, I could map, say, the IP 192.168.1.10 of this network into the IP 192.168.2.10. Packets exiting LAN2 would have their source IP changed to a firewall virtual IP (let's say 192.168.1.1) and their destination IP changed to the corresponding IP in the 192.168.1.0/24 network. A package coming through OpenVPN would have to go through the following transformations (I am representing source IP ---> destination IP):

    1. Arriving in OpenVPN interface: openvpn IP ---> 192.168.2.10
    2. Exiting through LAN2: 192.168.1.1 ---> 192.168.1.10

    Then, the answer from 192.168.1.10:

    1. Arriving in LAN2: 192.168.1.10 ---> 192.168.1.1
    2. Sent through OpenVPN interface: 192.168.2.10 ---> openvpn IP

    Is there any feature that does what I'm thinking? Thanks for any help.

    V 1 Reply Last reply Oct 31, 2024, 10:49 PM Reply Quote 0
    • V
      viragomann @marcelosb
      last edited by Oct 31, 2024, 10:49 PM

      @marcelosb said in NAT to reach devices in two different LANs with same IP addresses:

      I'm looking for something very similar to IPSec BINAT feature.

      Remember, that is is done on the remote site. So you can talk to the remote site using a different IP range.

      For example, I could connect the new network in the LAN2 port. Then, through some form of NAT, I could map, say, the IP 192.168.1.10 of this network into the IP 192.168.2.10. Packets exiting LAN2 would have their source IP changed to a firewall virtual IP (let's say 192.168.1.1) and their destination IP changed to the corresponding IP in the 192.168.1.0/24 network. A package coming through OpenVPN would have to go through the following transformations (I am representing source IP ---> destination IP):

      Arriving in OpenVPN interface: openvpn IP ---> 192.168.2.10
Exiting through LAN2: 192.168.1.1 ---> 192.168.1.10

      Then, the answer from 192.168.1.10:

      Arriving in LAN2: 192.168.1.10 ---> 192.168.1.1
Sent through OpenVPN interface: 192.168.2.10 ---> openvpn IP

      On the local interface NAT isn't necessary. However, on the remote site it is.

      Basic laws:

      • If the remote site need to access the same network on your site, you have to nat the destination IP of the traffic, the remote site has to nat the source.
      • If you need to access the remote site, you must nat the source and the remote site must nat the destination.

      To enable the remote site to access your site add a NAT 1:1 rule to the VPN interface, e.g. 10.52.66.0/24 > 192.168.1.0/24.
      NAT 1:1 does both, destination translation on incoming packets and source translation on outbound.
      The remote site has to route 10.52.66.0/24 over the VPN, or you push it and nat at least the source to the VPN IP.
      Then if the remote site wants to access 192.168.1.10 in your LAN they need to use 10.52.66.10.

      For bidirectional access, you would also need a NAT 1:1 on the remote site. This could be the same subnet in theory.
      This would mean, if you want to access 192.168.1.10 on the remote you need to type in 10.52.66.10.

      M 1 Reply Last reply Nov 1, 2024, 6:36 PM Reply Quote 0
      • M
        marcelosb @viragomann
        last edited by Nov 1, 2024, 6:36 PM

        @viragomann thank you for the effort! I appreciate any attempt to help.

        However, I am not working with an IPSec. I just said it is similar with what we do with IPSecs.

        V J 2 Replies Last reply Nov 2, 2024, 8:18 AM Reply Quote 0
        • V
          viragomann @marcelosb
          last edited by Nov 2, 2024, 8:18 AM

          @marcelosb
          I was not talking about IPSec.

          M 1 Reply Last reply Nov 9, 2024, 2:31 AM Reply Quote 0
          • J
            johnpoz LAYER 8 Global Moderator @marcelosb
            last edited by johnpoz Nov 2, 2024, 10:55 AM Nov 2, 2024, 10:51 AM

            @marcelosb or you can just do it the right way and re ip.. use of 192.168.1 was a horrible choice in the first place.

            Might be hard, might be a pita.. But its the best way to go about it vs all this natting..

            And when you re-ip, make sure you do it in such a way, that if you have to do it again its easier.. ie dhcp reservations, dns that points to what you need to get to vs ips being used, etc etc..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • M
              marcelosb @viragomann
              last edited by Nov 9, 2024, 2:31 AM

              @viragomann I dont think I understood then. There is no “remote site”. The only layer 3 equipment is my netgate firewall. I have two subnets on two different lans that are equal (192.168.1.0/24). Is the solution suggested applicable?

              J 1 Reply Last reply Nov 9, 2024, 3:31 AM Reply Quote 0
              • J
                johnpoz LAYER 8 Global Moderator @marcelosb
                last edited by Nov 9, 2024, 3:31 AM

                @marcelosb these are local networks - renumber one.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 1
                7 out of 7
                • First post
                  7/7
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                  This community forum collects and processes your personal information.
                  consent.not_received