PfSense as VPN Server w/NAT

RichBayliss · Mar 1, 2010, 12:17 PM

Hi all,

Mods - please move this if it is more of a NAT question, but I felt that it was more VPN specific.

I have a (unusual?) setup which uses the pfSense machine as a VPN IPSEC server for some road warriors and off-site backup machines. Ill do an ASCII art to describe it:

Cisco WAN Router –- Switch
+--- Zywall (NAT 192.168.0.x/24)(172.16.199.1/30) ---+ Private LAN Network
+--- pfSense (NAT 172.16.199.2/30) -----------------+

Both the Zywall and pfSense have a public routable IP address. The Zywall is the default gateway for the LAN. Both the Zywall and pfSense have a common IP network between them (172.16.199.0/30) and are setup as the gateways for their respective networks.

What I need is for the IPSEC packets coming in on the pfSense router to be NAT'd onto the 192.168.0.x network. As it stands they are dropped onto the LAN in the individual subnets I assign to them (eg 172.16.200.1) so any servers on our LAN in the 192.168.0.x range send all responses through the Zywall and onto the pfSense. If the inbound packets were NAT'd onto the 192.168.0.x network then the servers would talk direct to the pfSense and miss out the Zywall.

How would I setup the NAT engine to do this? I have tried various settings which make sense to me, but nothing seems to work.

I hope this makes sense, I can explain more if needed.

Regards,

Rich

jimp · Mar 2, 2010, 2:30 PM

Unfortunately, you can't mix NAT and IPsec on pfSense at this time. There was a bounty to do NAT in the other direction (e.g. before entering a tunnel) but it was withdrawn before it could be completed.

Why not just add a static route on the Zywall that points all traffic destined for your IPsec net(s) over to the pfSense box?

jlepthien · Mar 3, 2010, 7:52 PM

So is it also not possible to NAT my OPT network (WLAN) to my LAN ip address? Because I can just send packets from LAN into my company IPSec VPN and I also would like this to be possible for my WLAN clients…

jimp · Mar 3, 2010, 8:11 PM

@jlepthien:

So is it also not possible to NAT my OPT network (WLAN) to my LAN ip address? Because I can just send packets from LAN into my company IPSec VPN and I also would like this to be possible for my WLAN clients…

If the traffic was leaving the LAN interface, you could have a manual rule to NAT the WLAN traffic to a LAN IP in that instance, but not where IPsec is concerned, since that isn't leaving the box.

jlepthien · Mar 3, 2010, 8:13 PM

@jimp:

@jlepthien:

So is it also not possible to NAT my OPT network (WLAN) to my LAN ip address? Because I can just send packets from LAN into my company IPSec VPN and I also would like this to be possible for my WLAN clients…

If the traffic was leaving the LAN interface, you could have a manual rule to NAT the WLAN traffic to a LAN IP in that instance, but not where IPsec is concerned, since that isn't leaving the box.

Yeah that is the problem. There is no IPSec interface. I have manual NAT enabled for WLAN and LAN. Will this feature be in 2.0? I mean almost any other commercial firewall can do this, this is not a big thing, is it?

jimp · Mar 3, 2010, 8:15 PM

The way IPsec "grabs" the traffic in the kernel, NAT can't be done on it in any traditional way.

It's not in 2.0 now. At one point there was a bounty for it, but it was withdrawn before it was completed. Check the expired bounties forum if you want to read all the details.