Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT LAN through IPSec tunnel

    Scheduled Pinned Locked Moved NAT
    4 Posts 3 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      scott
      last edited by

      I have a scenario in which I need to establish an IPSec tunnel with a customer that does not allow local networks with private address spaces (which, of course, ours is).  I have successfully established a test tunnel with pfSense that looks like:

      Interface: WAN
      Local Subnet: 146.145.a.b/32    <- IP address of pfSense WAN Interface
      Remote Subnet: 10.10.10.0/24  <- Customer's subnet

      And, as expected, from the Diagnostics->Ping, I can successfully bring up the tunnel and ping addresses in the 10.10.10.0/24 address space.

      What I would like to do now is one of two things (whichever works and is easy to implement):

      1. Route all traffic from our private LAN to 10.10.10.0/24 through the tunnel, NAT'ing the traffic to the WAN interface address (146.145.a.b) in the process
      2. Create a virtual IP address in the LAN that does acts as a SNAT to the WAN interface and DNAT to an IP in the customer's address space

      Are either of these two possible with pfSense?  I've spent quite a bit of time reading through forums and it appears to me as if one of these should work, but for all my tinkering I haven't been able to make it happen.

      Any help you could provide would be greatly appreciated!

      Thanks!

      1 Reply Last reply Reply Quote 0
      • J Offline
        jeroen234
        last edited by

        vpn's are for binding 2 or more networks
        so there is no nat between them

        1 Reply Last reply Reply Quote 0
        • S Offline
          scott
          last edited by

          Unless you are bridging over the IPSec interface, then technically the tunnel itself is just another route through a virtual interface (even though it may not be actually implemented that way) and therefore doesn't seem (to me)  any more-or-less suitable for NAT'ing; I've done this sort of configuration through PIX firewalls, as well as directly on Linux with OpenVPN+iptables, and Solaris with  OpenVPN+ipf before. In fact, one of the nice features I like of the PIX was the ability to do 1:1 NAT'ing to expose a single IP address on the remote network into the LAN as a LAN address, so the host looked like a local resource.

          However, to your point, what I am asking is for the bridging of the VPN tunnel to the LAN be treated exactly the same as the LAN and the WAN.
          That is, have the tunnel defined as a single address (/32) (the virtual "WAN"), but have a  LAN behind that address NAT'ing through the tunnel.

          Thanks for the reply.

          1 Reply Last reply Reply Quote 1
          • C Offline
            cmb
            last edited by

            Others have asked about this a few times in the past, and numerous times on the m0n0wall list, and nobody has ever been able to find a solution. It's certainly a desirable feature, if you can find a way to implement it I'm sure patches would be accepted.

            1 Reply Last reply Reply Quote 1
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.