Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    1:1 NAT with IPSec configuration question

    Scheduled Pinned Locked Moved NAT
    1 Posts 1 Posters 358 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      virikas
      last edited by

      Hey there,

      got a "special" setup for a Lab Setup where I need to 1:1 NAT Ipsec Tunnel IPs to the LAN Interface network.
      The special one here is, that I have to use APIPA adresses on the LAN interface. "Block APIPA" is therefore disabled via config.-

      Rest of the setup:

      LAN Network: 169.254.0.0/24  (pfsense LAN 169.254.0.254)
      Tunnel Network: 172.28.0.0/24
      Tunnel Remote Network: 192.168.0.0/16

      IPSec Tunnel is up
      Binat on IPSec P2 is configured with "local subnet = 169.254.0.0/24" and NAT/Binat translation "network 172.28.0.0/24"
      No further NAT rules are created ; NAT Outbound Mode is set to "disable outbound NAT"

      Testresults:
      (1) Ping PFsense LAN from LAN Client and vice versa (169.254.0.1 <–> 169.254.0.254) works
      (2) Ping PFSense Translated Tunnel IP from remote Network (192.168.x.y --> 172.28.0.254) works
      (3) Ping LAN Client via Translated IP form remote Network (192.168.x.y --> 172.28.0.1) does not work
      (4) Ping Remote Network from LAN Client (172.28.0.1 --> 192.168.x.y) does not work

      Related packet captures:
      (1) obviously icmp echo request and reply can be found in a LAN interface capture ;)

      (2)
      capturing on the ipsec interface
      icmp echo request 192.168.x.y --> 172.28.0.254
      icmp echo reply 169.254.0.254 --> 192.168.x.y

      on the LAN interface both packets aren't captured

      (3)
      capturing on the ipsec interface:
      echo request 192.168.x.y --> 172.28.0.1 without reply    (Ping from remote network -> translated LAN client)

      Capturing on the LAN interface:
      not a single packet captured

      (4)
      capturing on the ipsec interface:
      echo request 169.254.0.1 --> 192.168.x.y  (Ping from LAN client -> remote network)

      capturing on the lan interface
      echo request 169.254.0.1 --> 192.168.x.y  (Ping from LAN client -> remote network)

      Both captures don't show a reply

      I'm a little lost now what i can test and configure further on.
      Any ideas where I am missing the point?

      Kind regards and thanks for any ideas :)

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.