Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    1:1 NAT with IPSec configuration question

    NAT
    1
    1
    224
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      virikas last edited by

      Hey there,

      got a "special" setup for a Lab Setup where I need to 1:1 NAT Ipsec Tunnel IPs to the LAN Interface network.
      The special one here is, that I have to use APIPA adresses on the LAN interface. "Block APIPA" is therefore disabled via config.-

      Rest of the setup:

      LAN Network: 169.254.0.0/24  (pfsense LAN 169.254.0.254)
      Tunnel Network: 172.28.0.0/24
      Tunnel Remote Network: 192.168.0.0/16

      IPSec Tunnel is up
      Binat on IPSec P2 is configured with "local subnet = 169.254.0.0/24" and NAT/Binat translation "network 172.28.0.0/24"
      No further NAT rules are created ; NAT Outbound Mode is set to "disable outbound NAT"

      Testresults:
      (1) Ping PFsense LAN from LAN Client and vice versa (169.254.0.1 <–> 169.254.0.254) works
      (2) Ping PFSense Translated Tunnel IP from remote Network (192.168.x.y --> 172.28.0.254) works
      (3) Ping LAN Client via Translated IP form remote Network (192.168.x.y --> 172.28.0.1) does not work
      (4) Ping Remote Network from LAN Client (172.28.0.1 --> 192.168.x.y) does not work

      Related packet captures:
      (1) obviously icmp echo request and reply can be found in a LAN interface capture ;)

      (2)
      capturing on the ipsec interface
      icmp echo request 192.168.x.y --> 172.28.0.254
      icmp echo reply 169.254.0.254 --> 192.168.x.y

      on the LAN interface both packets aren't captured

      (3)
      capturing on the ipsec interface:
      echo request 192.168.x.y --> 172.28.0.1 without reply    (Ping from remote network -> translated LAN client)

      Capturing on the LAN interface:
      not a single packet captured

      (4)
      capturing on the ipsec interface:
      echo request 169.254.0.1 --> 192.168.x.y  (Ping from LAN client -> remote network)

      capturing on the lan interface
      echo request 169.254.0.1 --> 192.168.x.y  (Ping from LAN client -> remote network)

      Both captures don't show a reply

      I'm a little lost now what i can test and configure further on.
      Any ideas where I am missing the point?

      Kind regards and thanks for any ideas :)

      1 Reply Last reply Reply Quote 0
      • First post
        Last post

      Products

      • Platform Overview
      • TNSR
      • pfSense
      • Appliances

      Services

      • Training
      • Professional Services

      Support

      • Subscription Plans
      • Contact Support
      • Product Lifecycle
      • Documentation

      News

      • Media Coverage
      • Press
      • Events

      Resources

      • Blog
      • FAQ
      • Find a Partner
      • Resource Library
      • Security Information

      Company

      • About Us
      • Careers
      • Partners
      • Contact Us
      • Legal
      Our Mission

      We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

      Subscribe to our Newsletter

      Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

      © 2021 Rubicon Communications, LLC | Privacy Policy