Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Questions about doing NAT within an IPSEC VPN

    Scheduled Pinned Locked Moved NAT
    5 Posts 3 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      CmdrFenix
      last edited by

      Hi there, I have been working a lot with pfSense and I have to say, Wow… Amazing platform. I am having some issues and have a few questions I'd like to throw out there. I currently have a large Linux based firewall setup (in excess of 100 units) that I'm interested in using pfSense, but I've hit a few snags related to some custom stuff I do. OK, here is the deal:

      1. I use Red Hat Linux right now with Freeswan IPSEC with KLIPS. Because of this I actually have an ipsec0 interface tied to my WAN. Now with Netfilter, I've setup NAT within the VPNs to masquerade the internal network because both sides use the same network block. It works great, but I want something with a nice Web Interface that I need to hack and write myself. :) This is the first issue.

      2. In some circumstances I have had to create Point to Subnet Connections with Freeswan.

      192.168.1.0/24 ---- [ Firewall ] –--------------- [ Firewall ] –-- 192.168.1.0/24
                                      172.24.1.0/24            172.24.2.0/24

      Now with an IPSEC connection in this scenario, the second firewall is actually a Sonicwall running Enhanced OS. It has an OPT interface which I need to bring back to the main site, but since it already has an SA to that network range (the 1.0/24 translated), I have to setup a connection from the external of the firewall to the 3.0/24 and performance standard masquerading on anything to the 3.0/24 block.

      I'm just curious what everyone thinks about this. If this is a new feature, I'll gladly put in a feature request with a money contribution. Think about the value of this though? You can now compete with major firewall players, and you've eliminated the problems with overlapping subnets.

      Thoughts?

      Regards,
      Jon

      1 Reply Last reply Reply Quote 0
      • C
        CmdrFenix
        last edited by

        Sorry about the poll… Not used to these forums. :)

        1 Reply Last reply Reply Quote 0
        • E
          eri--
          last edited by

          Put the feature request.
          It is doable just has to be integrated in the GUI.

          1 Reply Last reply Reply Quote 0
          • iorxI
            iorx
            last edited by

            Hello!

            Bringing an old thread back to live :-). Is there a way to do this until the GUI-feature may be available? Editing a conf. or so?

            I'm in great need of this feature.

            Brgs,
            /iorx

            1 Reply Last reply Reply Quote 0
            • iorxI
              iorx
              last edited by

              Reply to myself…

              Some more info on the subject.

              This is what I would like to do, but in pfSense. Doable?

              http://www.mail-archive.com/misc@openbsd.org/msg13901.html

              and the answer in this case:
              http://www.mail-archive.com/misc@openbsd.org/msg14011.html

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.