How to Do NAT ….
-
Okay, here's my situation..
I have one PFSense box at home, i'll call it PF1. To this I connected my internal LAN 192.168.0.0/24 and an internet connection. The internal LAN is NAT-ed for outside connections.
From my PF1 firewall, I setup an IPSEC connection over the internet to another PFSense device in another location, i'll call it PF2.
PF2 has a similar setup, a bunch of internal subnets using 10.x.x.x/24 subnets which are all NAT-ed to the outside world for internet connectivity.
The IPSEC works fine, I can reach addresses on both sides etc..
No for my uuhm challenge.. I want to setup my PF1 box in such a way that my internal 192.168.0.0/24 is represented to the PF2 box (through the IPSEC VPN) as 172.16.0.0/24.
So if I ping a host behind PF2 from my local LAN with a source IP of 192.168.0.1 the receiving host behind PF2 will think it will come from 172.16.0.1. If one of the hosts behind PF2 wants to connect to the 1:1 NAT ip 172.16.0.34 it will actually be talking to my internal 192.168.0.34
so as far as PF2 and all networks behind it concerned, my internal LAN is 172.16.0.0/24 which will be natted to and from the 192.168.0.0/24 subnet/interface by my PF1 box.
The 1:1 NAT should only work if I try to go to the PF2 site through my IPSEC tunnel.. If I stay internal it should remain 192.168.0.0/24 and if I go outside to the internet is should be nat overloaded behind my external IP.
If have been trying to figure out how to do this in PFSense but cant get it to work. Anyone got this kind of scenario working ?
-
I am confused, Should I use virtual IP , DMZ or what? I cannot change my whole local LAN IPs 192.x.x.x its hard job and PF2 is configured for ac 172.x.x.x and they cannot change it. si there short way to save maximum work??
-
First if you want to post in English, you should post in the English section ;)
Then, I've to admit that I don't understand what's behind this idea of forcing this kind of "double-NAT". IPSec doesn't work very well with NAT although this is feasible. In any case, if you want NAT only when using IPSec tunnnel, then you will have to configure this NAT at IPSec level. But why ???