VPN Site 2 Site IP Mask



  • Guys good afternoon.
    I thought a lot to put the text so that it does not get confused, my situation is as follows.
    I have an IPSEC VPN between 2 points with PFSense, everything is working perfectly, the IP ranges of the colon are:
    Matrix - LAN 192.168.2.0/24
    Branch - LAN 192.168.217.0/24

    In the network 192.168.217.0 I have an application that only accepts IPS connections of the range where it is, that is, when someone on the other side of the VPN tries to access the application, its server identifies that the IP is not the same range that it blocks.
    Is it possible to mask the IP that comes from the other side of the VPN to an IP of the local range?VPN


  • LAYER 8 Netgate

    Yes. Use an outbound NAT (Firewall > NAT, Outbound) entry on the side with the IPS server on the LAN.

    You probably want to tighten the rules so it only affects connections to that server from the other side of the VPN.

    You will be setting the NAT address to the interface address there. Connections coming over the VPN would appear to the IPS server as coming from the local interface address.

    You could also take an unused address on that network, make a Virtual IP address, and NAT to that.

    You will need to be in Hybrid or Manual outbound NAT mode to do this. I recommend hybrid unless you know you need manual.


  • LAYER 8 Global Moderator

    Why not just set the application to allow the IP from your remote site.

    As to changing the a connection from 192.168.2 to look like its on the 192.168.217 this would be a source nat.

    On the outbound nat just pick your interface this 217 network is connected to and config your requirements.

    So I am currently vpn'd in to my home network using openvpn my client is 10.0.8.100.. (tunnel network)

    So I create a outbound nat on the lan interface (192.168.9.0/24) that says source 10.0.8.0/24 with dest of 192.168.9.100 nat that to the address of pfsense lan interface 192.168.9.253..

    So before I create that nat I rdp to box at 192.168.9.100, and you see from netstat on that box connection is from 10.0.8.100… I then create the outbound nat and when I rdp again to this 192.168.9.100 box it sees the connection as coming from 192.168.9.253

    edit: Derelict beat me too it - but I added pretty pictures ;)



Log in to reply