OpenVPN Redirect To Another IP Address



  • Hi,

    I have the following setup:

    LAN1-172.16.100.1/24====WAN=Internet=WAN====LAN2-172.16.1.1/24

    At the control room the LAN is on a 172.16.100.0/24 network (LAN1)
    At the remote site the LAN is on a 172.16.1.0/24 network (LAN2)

    I have setup OpenVPN so the sites can communicate with each other.

    On LAN2 I have a device with IP address 192.168.12.45 and gateway 192.168.12.253 that I need to connect to from LAN1. I can't change this IP address or gateway because it is linked to other equipment. Is it possible that I can create a virtual IP say of 172.16.1.45 that I can connect to from LAN1 that actually connects to 192.168.12.45 on LAN2?

    Regards,
    Mike.



  • On the LAN2-172.16.1.1/24 you have a device with the IP address 192.168.12.45 and gateway 192.168.12.253?  ???

    @MikeHodgson:

    I have setup OpenVPN so the sites can communicate with each other.

    What is the VPN endpoint on LAN2 site? Is it the default gateway or another device? Is the subnet of 192.168.12.45 also assigned to it?



  • @viragomann:

    On the LAN2-172.16.1.1/24 you have a device with the IP address 192.168.12.45 and gateway 192.168.12.253?  ???

    Yes, that's correct. The 192.168.12.0/24 network is existing and has some machinery attached to it so I can't change the IP addresses. I'm adding a new network 172.16.1.0/24 for data collection off these machines, initially a PC will connect to both networks and gather data from the machinery and pass to the 172.16.100.0/24 network.

    @viragomann:

    What is the VPN endpoint on LAN2 site? Is it the default gateway or another device? Is the subnet of 192.168.12.45 also assigned to it?

    The endpoint on LAN2 is 172.16.1.1 which is the pfSense box.

    In the future we remove the PC and put it in the 172.16.100.0/24 network but it still needs to communicate with 192.168.12.45.
    One other thing I have to consider is there are another 10 sites with the same 192.168.12.0/24 network, so I plan on adding 172.16.2.0/24 172.16.3.0/24 etc. for the other sites

    Cheers,
    Mike.



  • So just assign a virtual IP out of192.168.12.0/24 to the pfSense LAN interface if you don't already have (Firewall > Virtual IPs, Type "IP Alias", care to set the mask correctly).
    Then add the 192.168.12.0/24 to the "IPv4 Local network(s)". Networks has to be comma separated, so the box should look like "172.16.1.1/24,192.168.12.0/24".

    Since the computers in 192.168.12.0/24 use another default gateway than pfSense, you either has to add a static route for the OpenVPN tunnel network to each of them, pointing on pfSense, or you do NAT, which will be much easier, but with the disadvantage that you cannot determine different VPN users on the destination device.

    For NAT, go to Firewall > NAT > Outbound. Presumably your outbound NAT is in automatic mode, switch to hybrid and save it. Then add a new NAT rule, select the LAN interface, at source enter the vpn tunnel network, go down the "Translation address" and select the pfSense virtual IP in the 192.168.12.0/24 network you've assigned above.

    Now you should be able to access the device.



  • Thanks for the information…

    @viragomann:

    So just assign a virtual IP out of192.168.12.0/24 to the pfSense LAN interface if you don't already have (Firewall > Virtual IPs, Type "IP Alias", care to set the mask correctly).

    Ok, so the equipment is on 192.168.12.45/24, so I'll adding an IP alias on the LAN interface with address of 192.168.12.100/24

    @viragomann:

    Then add the 192.168.12.0/24 to the "IPv4 Local network(s)". Networks has to be comma separated, so the box should look like "172.16.1.1/24,192.168.12.0/24".

    I'm guessing this is in the OpenVPN configuration, so VPN/OpenVPN/Clients, and I added push "route 192.168.12.0/24" to the advanced custom options because I didn't have the IPv4 Local Network(s) setting.

    @viragomann:

    Since the computers in 192.168.12.0/24 use another default gateway than pfSense, you either has to add a static route for the OpenVPN tunnel network to each of them, pointing on pfSense, or you do NAT, which will be much easier, but with the disadvantage that you cannot determine different VPN users on the destination device.

    For NAT, go to Firewall > NAT > Outbound. Presumably your outbound NAT is in automatic mode, switch to hybrid and save it. Then add a new NAT rule, select the LAN interface, at source enter the vpn tunnel network, go down the "Translation address" and select the pfSense virtual IP in the 192.168.12.0/24 network you've assigned above.

    Changed the Mode to Hybrid, added at the top with Interface LAN, source is Network and set to 192.168.100.0/24 (which is the tunnel network), in Translation set the address to 192.168.12.100

    @viragomann:

    Now you should be able to access the device.

    At site 172.16.1.0/24 on the pfSense console I can ping 192.168.12.45 and 192.168.12.100, but from the control room site 172.16.100.0/24 if I try and ping 172.16.1.45 it doesn't respond. Can you see any things I have done wrong?

    Cheers,
    Mike.



  • @MikeHodgson:

    @viragomann:

    Then add the 192.168.12.0/24 to the "IPv4 Local network(s)". Networks has to be comma separated, so the box should look like "172.16.1.1/24,192.168.12.0/24".

    I'm guessing this is in the OpenVPN configuration, so VPN/OpenVPN/Clients, and I added push "route 192.168.12.0/24" to the advanced custom options because I didn't have the IPv4 Local Network(s) setting.

    So the VPN is a site-to-site, where the pfSense box in LAN2 is the client and the server is in LAN1?
    Is it a shared key or an SSL auth VPN?



  • @viragomann:

    So the VPN is a site-to-site, where the pfSense box in LAN2 is the client and the server is in LAN1?
    Is it a shared key or an SSL auth VPN?

    Yes, that's correct, it's site-to-site. LAN2 has the client pfSense and LAN1 has the server pfSense box.

    It's mode is Peer to Peer (Shared Key)
    Protocol: TCP on IPv4 only
    Device mode: tun

    I hope that helps.

    Cheers,
    Mike.



  • You need the additional route for 192.168.12.0/24 on the server site, of course.
    So add the subnet to the server settings in the "IPv4 Remote network(s)" box.

    Don't set simple "push route" commands in the Advanced options field, that's deprecated.



  • @viragomann:

    You need the additional route for 192.168.12.0/24 on the server site, of course.
    So add the subnet to the server settings in the "IPv4 Remote network(s)" box.

    Thanks again.

    I added this to test. From LAN1 I can ping 192.168.12.100 which is the virtual IP address, but can't ping 192.168.12.45 the machine. If I change the default gateway on the machine to 192.168.12.100 then I can ping it and initiate connections from LAN1, so it must be using the gateway of 192.168.12.253 to try and get back when it doesn't work. But I can't change this gateway for normal usage.

    @MikeHodgson:

    On LAN2 I have a device with IP address 192.168.12.45 and gateway 192.168.12.253 that I need to connect to from LAN1. I can't change this IP address or gateway because it is linked to other equipment. Is it possible that I can create a virtual IP say of 172.16.1.45 that I can connect to from LAN1 that actually connects to 192.168.12.45 on LAN2?

    This is the setup I really needed, something that will translate 192.168.12.45 on LAN2 into 172.16.1.45, but be accessable from LAN1. Remembering I have 10 sites to connect to with the same 192.168.12.0/24 at each site.

    Cheers,
    Mike.



  • So obviously your Outbound NAT rule doesn't work.

    Post the Outbound NAT tab, please.



  • @viragomann:

    So obviously your Outbound NAT rule doesn't work.

    Post the Outbound NAT tab, please.

    It does look that way.

    Settings are:

    Interface: LAN
    Source: 172.16.1.0/24
    Source Port: *
    Destination: 192.168.12.0/24
    Destination Port: *
    NAT Address: 192.168.12.100
    NAT Port: *

    So, on the LAN2 pfSense box I can ping 192.168.12.45 and 192.168.12.100
    On the LAN1 pfSense box I can ping 192.168.12.100 only, Ideally I need to ping 172.16.1.45 to get to 192.168.12.45 on LAN2

    Cheers,
    Mike.



  • The source has to be 172.16.100.0/24 - LAN1 network.



  • @viragomann:

    The source has to be 172.16.100.0/24 - LAN1 network.

    Ah yes, thank you for that. I can now ping 192.168.12.45 from LAN1 and it responds correctly.

    Now….How can I configure it so I can ping 172.168.1.45 from LAN1 or LAN2 and it routes to 192.168.12.45 in LAN2? I need this because I have more sites with 192.168.12.0/12 networks.

    Cheers,
    Mike.


Log in to reply