Current status of NAT before IPSEC
-
Hi folks,
how is the current status of NAT before IPSec on a single pfSense box?
I encounter problems when it comes to that topic.Let me give you an example:
We have several IPSEC connections to customers where we only have a single Phase2 local network (192.168.30.0/24) called VLAN100.
(It is not an option to add additional Phase2 for us).
As other local VLANs like VLAN200(10.10.10.0/24) want to access the customer systems they can´t because of the single Phase2 defined is VLAN100.My solution was to use "Outbound NAT":
Source: VLAN200
NAT to Single IP in VLAN100 (192.168.30.2)That works fine as long as the IPSEC Tunnel IS NOT on the Same pfSense box as the Outbound NAT rule (See Method1).
But NAT does not work for me if the Outbount NAT and IPSEC Tunnel are on a single pfSense box (See Method2).
NAT just does not happen.Method 1:
Client VLAN on pfSense, IPSEC on a different box:Client PC (VLAN200) NAT to VLAN100 IP STATIC ROUTE to TARGET Subnet Dedicated IPSEC Box IPSEC TUNNEL PHASE2 (LOCAL NETWORK) TARGET NETWORK 10.10.10.123/24 - 192.168.30.2/24 - 172.16.3.0/24 - 192.168.30.9/24 - 192.168.30.0/24 - 172.16.3.0/24 GW 192.168.30.9/24 ^^ pfSense1 ^^ ^^ pfSense1 ^^ ^^ pfSense2 ^^ ^^ pfSense2 ^^ ^^ Outbound NAT Rule ^^Method2:
Client VLAN+IPSEC on a single pfSense box:Client PC (VLAN200) NAT to VLAN100 IP IPSEC TUNNEL PHASE2 (LOCAL NETWORK) TARGET NETWORK 10.10.10.123/24 - 192.168.30.2/24 - 192.168.30.0/24 - 172.16.3.0/24 ^^ pfSense1 ^^ ^^ pfSense1 ^^ ^^ Outbound NAT Rule ^^Is that still a common problem on the current pfSense version?
All I can find on this topic is ~4Year old tickets.Can someone confirm that this is still a problem or is this just a configuration issue on my side?
Best,
Sebastian