Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Current status of NAT before IPSEC

    Scheduled Pinned Locked Moved NAT
    1 Posts 1 Posters 582 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      Badmin
      last edited by

      Hi folks,

      how is the current status of NAT before IPSec on a single pfSense box?
      I encounter problems when it comes to that topic.

      Let me give you an example:
      We have several IPSEC connections to customers where we only have a single Phase2 local network (192.168.30.0/24) called VLAN100.
      (It is not an option to add additional Phase2 for us).
      As other local VLANs like VLAN200(10.10.10.0/24) want to access the customer systems they can´t because of the single Phase2 defined is VLAN100.

      My solution was to use "Outbound NAT":
      Source: VLAN200
      NAT to Single IP in  VLAN100 (192.168.30.2)

      That works fine as long as the IPSEC Tunnel IS NOT on the Same pfSense box as the Outbound NAT rule (See Method1).

      But NAT does not work for me if the Outbount NAT and IPSEC Tunnel are on a single pfSense box (See Method2).
      NAT just does not happen.

      Method 1:
      Client VLAN on pfSense, IPSEC on a different box:

      
        Client PC (VLAN200)               NAT to VLAN100 IP                  STATIC ROUTE to TARGET Subnet               Dedicated IPSEC Box                      IPSEC TUNNEL PHASE2 (LOCAL NETWORK)                 TARGET NETWORK
          10.10.10.123/24        -         192.168.30.2/24          -                172.16.3.0/24               -         192.168.30.9/24             -                   192.168.30.0/24                 -           172.16.3.0/24
                                                                                   GW 192.168.30.9/24
      
                                            ^^ pfSense1 ^^                          ^^ pfSense1 ^^                          ^^ pfSense2 ^^                                   ^^ pfSense2 ^^
                                       ^^ Outbound NAT Rule ^^
      
      

      Method2:
      Client VLAN+IPSEC on a single pfSense box:

      
        Client PC (VLAN200)                NAT to VLAN100 IP                  IPSEC TUNNEL PHASE2 (LOCAL NETWORK)                      TARGET NETWORK
          10.10.10.123/24        -          192.168.30.2/24          -                   192.168.30.0/24                 -              172.16.3.0/24
      
                                             ^^ pfSense1 ^^                               ^^ pfSense1 ^^
                                        ^^ Outbound NAT Rule ^^
      
      

      Is that still a common problem on the current pfSense version?
      All I can find on this topic is ~4Year old tickets.

      Can someone confirm that this is still a problem or is this just a configuration issue on my side?

      Best,
      Sebastian

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.