Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Outbound Nat to VIP for certain destinations

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    5 Posts 2 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      ndee
      last edited by

      Hello,

      Maybe anyone can help about this.
      First of all the environment:

      –  (LAN2) -- VPN Router1 -- (INET) -- VPN Router -- customer1 Subnets
      (LAN1) -- pfSense 1.2.3/no def.GW on this IF -- (LAN2-VIP) -- VPN Router2 -- (INET) -- VPN Router -- customer2 Subnets

      Because of subnet overlapping i would like to NAT for certain destination subnets (customer2) on pfSense interface LAN2.
      So i created a virtual IP (Proxy ARP) on LAN2
      I created a static Route to customer2 subnets via LAN2-VIP, and outbound-nat for LAN1 to LAN2-VIP.

      The Problem:
      LAN2-VIP is not reachable (from VPN Router2) and the static route does not appear in routing table.

      What did i wrong ? Any ideas ?

      Thank you in advance
      Daniel

      1 Reply Last reply Reply Quote 0
      • N
        ndee
        last edited by

        Hello,

        okay, found out that it is not possible for the pfsense to use VIPs internally (as described in the wiki).

        so i configured a secondary ip on the LAN2 Interface (edited the config file). Now i can see my static routes in the routertable
        but packets leave the LAN2 interface are not either natted to this secondary ip nor the interface (primary) ip.
        reboot had no improvement.

        want to nat the lan subnet to the secondary ip of the opt interface for certain destination subnets. is this possible ?

        anyone any idea ?

        thank you in advance
        daniel

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          It's definitely possible in 2.x. I don't recall for sure offhand whether it was in 1.2x, but pretty sure it is there too.

          1 Reply Last reply Reply Quote 0
          • N
            ndee
            last edited by

            Hello,

            thank you for your reply. it works only sometimes (without configuration changes !).
            sometimes it sends via secondary ip then the destination is reachable, but sometimes
            it seems that it tries to send via the wan interface (then i cant see any packet in the log of my vpn router).
            i can't figure it out why …

            do you have any suggestion ?

            thank you in advance
            daniel

            1 Reply Last reply Reply Quote 0
            • N
              ndee
              last edited by

              Hello,

              May be it is interesting for anybody who has the same challenge. Finally i got it to work, when i additionally configured a vip with the same
              address as the secondary to have the possibility to select it in the outbound nat configuration as the nat address.

              best regards
              daniel

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.