Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT OpenVPN Traffic Before IPSec

    Scheduled Pinned Locked Moved NAT
    4 Posts 2 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P Offline
      paulcsiki
      last edited by

      Hello Everyone,

      I am a pleased customer of pfsense. It does all the magic I don't need to worry about until this problem occured:

      Consider this scenario:

      Main LAN Subnet: 192.168.180.0/24
      IPSec Tunnels: 129.10.3.0/24 and two more.
      OpenVPN Client Subnet: 10.0.0.0/24

      I need to NAT OpenVPN traffic to 192.168.180.0/24 before passing through IPSec however only for traffic that targets IPSec networks.

      For instance 192.168.180.0/24 will not NAT as 192.168.180.0/24 but 129.10.3.0/24 will NAT as 192.168.180.0/24.

      I remember doing this with Endian firewall but it seems that's a lot more complicated to do so with PFSense.

      I already pushed the routes to OpenVPN to the IPSec networks, only NAT remains.

      I tried playing around with Manual Outbound NAT but I don't know how to configure it properly and it seems that whenever I turn off Automatic Outbound NAT the IPSec traffic stops working.

      Can anyone help me on this?

      Thank You,
      Paul Csiki.

      1 Reply Last reply Reply Quote 0
      • P Offline
        paulcsiki
        last edited by

        I have created manual NAT rules but they just won't work. OpenVPN traffic doesn't get translated to the subnet I pick.

        My rules is:

        Interface: OpenVPN
        Source: 10.0.0.0/24
        Source Port: *
        Destination: 192.168.180.0/24
        Destination Port: *
        Translate To: 192.168.180.0/24
        NAT Port: *
        Static: NO

        But when I capture traffic on the OpenVPN interface I still see the OpenVPN IPs:

        09:35:25.334625 IP (tos 0x0, ttl 128, id 779, offset 0, flags [DF], proto TCP (6), length 514)
    10.0.0.26.1501 > 192.168.180.1.443: Flags [P.], cksum 0x3788 (correct), seq 123259017:123259491, ack 2592290764, win 4076, length 474
09:35:25.334705 IP (tos 0x0, ttl 64, id 34568, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.180.1.443 > 10.0.0.26.1501: Flags [.], cksum 0x836b (correct), seq 1, ack 474, win 514, length 0

        Am I doing something wrong?

        1 Reply Last reply Reply Quote 0
        • jimpJ Offline
          jimp Rebel Alliance Developer Netgate
          last edited by

          NAT+IPsec won't work together in that way.

          Even on 2.1 where you can do NAT+IPsec in the Phase 2 settings, I'm not sure you can cover that exact scenario.

          Why not just add another Phase 2 to the IPsec tunnel to cover the OpenVPN subnet? That would be the simplest solution, if the other side will let you.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • P Offline
            paulcsiki
            last edited by

            Hello,

            Thank you for your reply. The other side will not permit another P2 tunnel. I have created a second OpenVPN server that lies under the same subnet used by the existing P2 tunnel of IPSec and it seems to be working this way.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.