Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VPN Site 2 Site IP Mask

    Scheduled Pinned Locked Moved NAT
    3 Posts 3 Posters 524 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      arodsp
      last edited by

      Guys good afternoon.
      I thought a lot to put the text so that it does not get confused, my situation is as follows.
      I have an IPSEC VPN between 2 points with PFSense, everything is working perfectly, the IP ranges of the colon are:
      Matrix - LAN 192.168.2.0/24
      Branch - LAN 192.168.217.0/24

      In the network 192.168.217.0 I have an application that only accepts IPS connections of the range where it is, that is, when someone on the other side of the VPN tries to access the application, its server identifies that the IP is not the same range that it blocks.
      Is it possible to mask the IP that comes from the other side of the VPN to an IP of the local range?VPN

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Yes. Use an outbound NAT (Firewall > NAT, Outbound) entry on the side with the IPS server on the LAN.

        You probably want to tighten the rules so it only affects connections to that server from the other side of the VPN.

        You will be setting the NAT address to the interface address there. Connections coming over the VPN would appear to the IPS server as coming from the local interface address.

        You could also take an unused address on that network, make a Virtual IP address, and NAT to that.

        You will need to be in Hybrid or Manual outbound NAT mode to do this. I recommend hybrid unless you know you need manual.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          Why not just set the application to allow the IP from your remote site.

          As to changing the a connection from 192.168.2 to look like its on the 192.168.217 this would be a source nat.

          On the outbound nat just pick your interface this 217 network is connected to and config your requirements.

          So I am currently vpn'd in to my home network using openvpn my client is 10.0.8.100.. (tunnel network)

          So I create a outbound nat on the lan interface (192.168.9.0/24) that says source 10.0.8.0/24 with dest of 192.168.9.100 nat that to the address of pfsense lan interface 192.168.9.253..

          So before I create that nat I rdp to box at 192.168.9.100, and you see from netstat on that box connection is from 10.0.8.100… I then create the outbound nat and when I rdp again to this 192.168.9.100 box it sees the connection as coming from 192.168.9.253

          edit: Derelict beat me too it - but I added pretty pictures ;)

          sourcenat.png
          sourcenat.png_thumb

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.