NAT 1:1 through Wireguard
-
Hi everyone, I have to connect two offices via wireguard and reach the remote office's IPs via addresses different from those assigned to their internal network. the situation at the moment is this:
site A: 192.168.0.0/24
WG ip: 172.16.0.1site B: 192.168.1.0/24
WG ip: 172.16.0.2the tunnel is established between a mikrotik on side A and with pfsense on side B.
on side B I added a virtual arp proxy ip on the OPT1 interface with subnet 172.16.1.1/24, on the firewall I added a 1:1 NAT rule on the OPT1 interface with external subnet ip the WG ip and as internal the network of site B. at this point from site A I can ping both the WG ip of site B and the virtual arp proxy ip that I set.
the problem occurs when I try to ping a machine in branch B via the subnet I set in the 1:1 nat (for example, if I wanted to ping 192.168. 1.100 I should use 172.16. 1.100): I get no response. on mikrotik instead I get the desired result using netmap as action from the firewall rules.
does anyone have any idea where I'm going wrong? -
@_deadpool_
You might rather want to use 172.16. 1.0 as the external IP in the NAT 1:1 rule.However, this means, that the remote site will see access coming from 172.16. 1.0/24. So you have to add this subnet to the allowed IPs in the wg settings at A.
And there is no need to add a proxy ARP to the wg interface for natting traffic.
-
@viragomann said in NAT 1:1 through Wireguard:
@_deadpool_
You might rather want to use 172.16. 1.0 as the external IP in the NAT 1:1 rule.However, this means, that the remote site will see access coming from 172.16. 1.0/24. So you have to add this subnet to the allowed IPs in the wg settings at A.
And there is no need to add a proxy ARP to the wg interface for natting traffic.
hi, thanks for the reply.
i tried to set the rule as you stated, but the result is the same. at site A side everything is set correctly, if at site B side i put a mikrotik it works. i think i'm missing something in the pfsense configuration, as i'm not very proficient in configuring pfsense (i used to work with mikrotik). can you please explain to me how i have to configure pfsense to achieve my goal? basically i followed the 1:1 NAT configuration guide, but i can't manage to make it work.. -
@_deadpool_
Maybe you should better explain, what you intend to achieve exactly first. Up to now you have only described what you did. -
@viragomann sorry, i just saw that i missed some words.. basically i want to reach site B side with the class 172.16.1.0/24 instead of 192.168.1.0/24 from site A through wireguard tunnel. I can do this in mikrotik making a loopback interface with address 172.16.1.1/24 and making a dstnat rule from src address 172.16.1.0/24 with action netmap to address 192.168.1.0/24. This rule translates 1:1 every ip of the subnet 192.168.1.0/24 in the corrisponding ip of the 172.16.1.0/24 subnet. I can't manage to make this work in pfsense, i'm for sure missing something, but as i'm not expert in pfsense configuration i don't know what i am missing.
Thanks again! -
@_deadpool_
It should work with an 1:1 like this:
interface: WG (you wrote above you have assigned OPT1 to the wg instance)
External subnet IP: 172.16.1.0
internal IP: Network > 192.168.1.0/24 (or LAN subnet)However as mentioned, you have to ensure, that 172.16.1.0/24 is allowed in the remotes WG settings and firewall.
In case of doubts, sniff the traffic on the WG interface to verify if the rule works.
-
@viragomann ok, thanks, i'll let you know if this works, thanks again!
-
@viragomann said in NAT 1:1 through Wireguard:
@_deadpool_
It should work with an 1:1 like this:
interface: WG (you wrote above you have assigned OPT1 to the wg instance)
External subnet IP: 172.16.1.0
internal IP: Network > 192.168.1.0/24 (or LAN subnet)
...ok, i modified the configuration using the interface WireGuard instead of OPT1 as you stated, but i'm in the same situation. in the peer configuration the subnet is already allowed.
@viragomann said in NAT 1:1 through Wireguard:
...
However as mentioned, you have to ensure, that 172.16.1.0/24 is allowed in the remotes WG settings and firewall.
...
i don't understand this, tou mean there is something to do at site A? i don't think so, as at site B if i use a mikrotik it works without touching site A configuration. if it means that i have to do something in firewall>rules at site B i don't understand what i'm missing, even in site B i can't ping machines in LAN using 172.16.1.0/24 class. pinging from site A shows in packet capture:
17:44:47.026691 IP 172.16.0.1 > 172.16.1.1: ICMP echo request, id 8335, seq 7, length 64
17:44:47.026710 IP 172.16.1.1 > 172.16.0.1: ICMP echo reply, id 8335, seq 7, length 64which seems that packets are arriving from site A and they get replied, nut pinging another machine existing and up i get no reply, like this:
17:46:37.026691 IP 172.16.0.1 > 172.16.1.100: ICMP echo request, id 8335, seq 7, length 64
pinging from site B the WG ip of site b pfsense i get:
17:48:44.450593 IP 172.16.0.1 > 172.16.0.2: ICMP echo request, id 55040, seq 57612, length 36
17:48:44.450614 IP 172.16.0.2 > 172.16.0.1: ICMP echo reply, id 55040, seq 57612, length 36and i get the same pinging every host in 172.16.0.0/24 subnet from site B.
i still can't figure out what i'm missing.