• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

IPSec with multiple subnets and BiNAT not NATing a specific network (non local)

IPsec
2
3
214
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • I
    IT_Luke
    last edited by 11 days ago

    Hi all, we needed to replace an old custom VPN appliance which has been retired and in place the external service offered an IPSec possibilty which I setup with a pfSense VM. The site currently has a couple of Juniper firewalls in HA which are sitll handling all the network traffic so all the "load" is still on them - the pfSense instance is just handling the new IPSec. The remote network IPsec config imposes 2 /16 subnets (10.10.x.x and 10.11.x.x) and the service also imposes a local subnet our side of 10.12.x.x/24 which is a different subnet than our local one (172.20). I setup 2 P2 sessions both with BiNAT enabled and this works fine with the default pfSense LAN subnet of 172.20.2.x, everything gets translated properly and traffic flows. However as locally we have a few /24 subnets, specifically the DMZ 172.20.2.x in use and also a 172.20.48.x one where PCs are which both need to reach the endpoint (the pfSense box is on the DMZ), the PC subnet is routed to the pfSense box LAN iface from the other firewalls (IPSec target networks 10.10.x.x and 10.11.xx -> pfSense LAN) in order for it to reach the tunnel. I tried adding another couple of P2 sessions with BiNAT enabled and specifying the source network to be translated as 172.20.48.x/24 (so in this case not the LAN interface on the DMZ subnet) but the packets fail to reach the IPSec - they reach the pfSense LAN interface (on the 172.20.2.x) but die there. So my questions are: Is it not possible to enable BiNAT for a different subnet other than the one the relevant interface is bound to? If so, what would be the purpose of adding the "Network" option under the BiNAT options? Have I missed possibly an additional step to workaround this?
    Thanks for any clarifications or heads up.

    V 1 Reply Last reply 6 days ago Reply Quote 0
    • I IT_Luke referenced this topic 10 days ago
    • V
      viragomann @IT_Luke
      last edited by 6 days ago

      @IT_Luke
      Is your Enter key broken? The text is pretty hard to read.

      @IT_Luke said in IPSec with multiple subnets and BiNAT not NATing a specific network (non local):

      So my questions are: Is it not possible to enable BiNAT for a different subnet other than the one the relevant interface is bound to?

      No. How should this be natted?
      If traffic from the remote site is natted to 172.20.2.0/24 it cannot be natted to 172.20.48.0/24 at the same time.
      You would need a second subnet in the phase 2 for this.

      However, if you only need access from 172.20.48.0/24 to the remote site, but no incoming from remote, which is the case, I think, you should be able to nat the traffic to a single unused address within the 172.20.2.0/24 subnet.
      You have to put this p2 to the top then, so that it is applied before the other one.

      I 1 Reply Last reply 4 days ago Reply Quote 0
      • I
        IT_Luke @viragomann
        last edited by IT_Luke 2 days ago 4 days ago

        @viragomann firstly thanks for the reply, forgive me for the dense paragraph. I did setup a P2 per subnet. In any case I have in the mean time found a solution (which happens to coincide with what you suggested):

        Firstly I switched from BiNAT to simple NAT for each target subnet and then I NATted on a single address per each subnet like this:

        Local Subnet Remote Subnet NATed IP
        172.20.48.x/24 10.10.x.x/16 10.10.12.201/24
        172.20.48.x/24 10.11.x.x/16 10.10.12.202/24
        172.20.2.x/24 10.10.x.x/16 10.10.12.203/24
        172.20.2.x/24 10.11.x.x/16 10.10.12.204/24

        This way the packets from both subnets are routed and NATed through the IPSec tunnel correctly. However, even though I also added a local static route as per https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/access-firewall-over-ipsec.html to be able to be pinged by the other end for monitoring, the remote pings do not return. This may be a limitation of the above NAT setup in the IPSec. At the moment this isn't a major issue but I should find a solution for the remote monitoring setup.

        Notes:
        The BiNAT solution works only for a primary Network (the first P2 Network encountered in the list), any subsequent different specified P2 network subnet is ignored - packets reach the firewall LAN interface but are not routed to the IPSec interface.

        I have not attempted a routed VTI IPSec approach which I suppose will work fine also, but requires a more elaborate configuration to setup the relative IPSec enabled interfaces, firewall rules and NAT/routing. I may take a shot at this in the future as with the above setup it's hard if not impossible to have a fallback/secondary IPSec gateway configured if the main one dies - this would require the VTI routed approach if I'm not mistaken.

        Some additional references to IPSec / NAT issues and workarounds which seem to be relevant:
        https://forum.netgate.com/topic/155132/problems-with-routed-ipsec-vti/6
        https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248474

        Cheers

        1 Reply Last reply Reply Quote 0
        1 out of 3
        • First post
          1/3
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.