Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT to reach devices in two different LANs with same IP addresses

    Scheduled Pinned Locked Moved
    NAT
    3
    7
    145
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      marcelosb
      last edited by

      Hello!

      I'm looking for something very similar to IPSec BINAT feature.

      Here is my problem: my Netgate 4100 is connected through LAN1 into the network 192.168.1.0/24, where there are many very important devices whose IPs I cannot change. Now, we want to integrate another network so that we may reach it through VPN. However, this other network is also 192.168.1.0/24. And it is very difficult to change all the IPs of this second network.

      So, I thought maybe there is some way of mapping the IPs of this new network to something else. For example, I could connect the new network in the LAN2 port. Then, through some form of NAT, I could map, say, the IP 192.168.1.10 of this network into the IP 192.168.2.10. Packets exiting LAN2 would have their source IP changed to a firewall virtual IP (let's say 192.168.1.1) and their destination IP changed to the corresponding IP in the 192.168.1.0/24 network. A package coming through OpenVPN would have to go through the following transformations (I am representing source IP ---> destination IP):

      1. Arriving in OpenVPN interface: openvpn IP ---> 192.168.2.10
      2. Exiting through LAN2: 192.168.1.1 ---> 192.168.1.10

      Then, the answer from 192.168.1.10:

      1. Arriving in LAN2: 192.168.1.10 ---> 192.168.1.1
      2. Sent through OpenVPN interface: 192.168.2.10 ---> openvpn IP

      Is there any feature that does what I'm thinking? Thanks for any help.

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @marcelosb
        last edited by

        @marcelosb said in NAT to reach devices in two different LANs with same IP addresses:

        I'm looking for something very similar to IPSec BINAT feature.

        Remember, that is is done on the remote site. So you can talk to the remote site using a different IP range.

        For example, I could connect the new network in the LAN2 port. Then, through some form of NAT, I could map, say, the IP 192.168.1.10 of this network into the IP 192.168.2.10. Packets exiting LAN2 would have their source IP changed to a firewall virtual IP (let's say 192.168.1.1) and their destination IP changed to the corresponding IP in the 192.168.1.0/24 network. A package coming through OpenVPN would have to go through the following transformations (I am representing source IP ---> destination IP):

        Arriving in OpenVPN interface: openvpn IP ---> 192.168.2.10
Exiting through LAN2: 192.168.1.1 ---> 192.168.1.10

        Then, the answer from 192.168.1.10:

        Arriving in LAN2: 192.168.1.10 ---> 192.168.1.1
Sent through OpenVPN interface: 192.168.2.10 ---> openvpn IP

        On the local interface NAT isn't necessary. However, on the remote site it is.

        Basic laws:

        • If the remote site need to access the same network on your site, you have to nat the destination IP of the traffic, the remote site has to nat the source.
        • If you need to access the remote site, you must nat the source and the remote site must nat the destination.

        To enable the remote site to access your site add a NAT 1:1 rule to the VPN interface, e.g. 10.52.66.0/24 > 192.168.1.0/24.
        NAT 1:1 does both, destination translation on incoming packets and source translation on outbound.
        The remote site has to route 10.52.66.0/24 over the VPN, or you push it and nat at least the source to the VPN IP.
        Then if the remote site wants to access 192.168.1.10 in your LAN they need to use 10.52.66.10.

        For bidirectional access, you would also need a NAT 1:1 on the remote site. This could be the same subnet in theory.
        This would mean, if you want to access 192.168.1.10 on the remote you need to type in 10.52.66.10.

        M 1 Reply Last reply Reply Quote 0
        • M
          marcelosb @viragomann
          last edited by

          @viragomann thank you for the effort! I appreciate any attempt to help.

          However, I am not working with an IPSec. I just said it is similar with what we do with IPSecs.

          V johnpozJ 2 Replies Last reply Reply Quote 0
          • V
            viragomann @marcelosb
            last edited by

            @marcelosb
            I was not talking about IPSec.

            M 1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator @marcelosb
              last edited by johnpoz

              @marcelosb or you can just do it the right way and re ip.. use of 192.168.1 was a horrible choice in the first place.

              Might be hard, might be a pita.. But its the best way to go about it vs all this natting..

              And when you re-ip, make sure you do it in such a way, that if you have to do it again its easier.. ie dhcp reservations, dns that points to what you need to get to vs ips being used, etc etc..

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.03 | Lab VMs 2.7.2, 24.03

              1 Reply Last reply Reply Quote 0
              • M
                marcelosb @viragomann
                last edited by

                @viragomann I dont think I understood then. There is no “remote site”. The only layer 3 equipment is my netgate firewall. I have two subnets on two different lans that are equal (192.168.1.0/24). Is the solution suggested applicable?

                johnpozJ 1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator @marcelosb
                  last edited by

                  @marcelosb these are local networks - renumber one.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.03 | Lab VMs 2.7.2, 24.03

                  1 Reply Last reply Reply Quote 1
                  • First post
                    Last post