Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to enable internal NAT

    Scheduled Pinned Locked Moved NAT
    2 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      lyntonjennings
      last edited by

      Hi all,

      I have a LAN at my office with 2 different gateways (one old IPCop firewall & one pfSense firewall). - busy changing all my firewalls to pfSense :)

      I have about 10 PCs on the LAN all on the same subnet (50.0.0.0/24).

      The IPCop (Firewall A) LAN is "50.0.0.150" and the pfSense (Firewall B) LAN is "50.0.0.151".

      9 of the PCs point to default gateway 50.0.0.150 and 1 (for testing purposes for now) is pointing to default gateway 50.0.0.151.

      From a remote location (home), when I connect my OpenVPN to Firewall A, I can only ping the PCs using that firewall (Firewall A) as a default gateway.
      When I then connect my OpenVPN to Firewall B, I can only ping the 1 PC that is using Firewall B as it's gateway.

      I would like to be able to connect via VPN to Firewall B and ping all the devices on the LAN regardless of what those devices default gateways are.

      I was told that I need enable internal NAT. and that's where I am stuck.

      Logic tells me that the ping request gets all the way to the device on the LAN, but then the return path of that request is trying to go through the default gateway specified on that device. So I just need to setup a firewall rule, a static route or a NAT rule etc.. If so please assist.

      Hope I have provided enough info above.

      Thank you.

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        If you want to solve this with static routes you have to add a route to each LAN host directing the vpn tunnel subnet to pfSense.

        If you want to do it with NAT, you've to add an outbound NAT rule to LAN for the tunnel subnet.
        Set the outbound NAT rule configuration to manual or hybrid mode. Then add a new rule:
        Interface: LAN
        Source: VPN tunnel network
        Traslation: interface address

        This NAT rule translates source addresses of packets from the vpn subnet to the LAN address, so responses are addressed back to pfSense.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.