How to enable internal NAT

  • Hi all,

    I have a LAN at my office with 2 different gateways (one old IPCop firewall & one pfSense firewall). - busy changing all my firewalls to pfSense :)

    I have about 10 PCs on the LAN all on the same subnet (

    The IPCop (Firewall A) LAN is "" and the pfSense (Firewall B) LAN is "".

    9 of the PCs point to default gateway and 1 (for testing purposes for now) is pointing to default gateway

    From a remote location (home), when I connect my OpenVPN to Firewall A, I can only ping the PCs using that firewall (Firewall A) as a default gateway.
    When I then connect my OpenVPN to Firewall B, I can only ping the 1 PC that is using Firewall B as it's gateway.

    I would like to be able to connect via VPN to Firewall B and ping all the devices on the LAN regardless of what those devices default gateways are.

    I was told that I need enable internal NAT. and that's where I am stuck.

    Logic tells me that the ping request gets all the way to the device on the LAN, but then the return path of that request is trying to go through the default gateway specified on that device. So I just need to setup a firewall rule, a static route or a NAT rule etc.. If so please assist.

    Hope I have provided enough info above.

    Thank you.

  • If you want to solve this with static routes you have to add a route to each LAN host directing the vpn tunnel subnet to pfSense.

    If you want to do it with NAT, you've to add an outbound NAT rule to LAN for the tunnel subnet.
    Set the outbound NAT rule configuration to manual or hybrid mode. Then add a new rule:
    Interface: LAN
    Source: VPN tunnel network
    Traslation: interface address

    This NAT rule translates source addresses of packets from the vpn subnet to the LAN address, so responses are addressed back to pfSense.

Log in to reply