1:1 NAT with IPSec configuration question
-
Hey there,
got a "special" setup for a Lab Setup where I need to 1:1 NAT Ipsec Tunnel IPs to the LAN Interface network.
The special one here is, that I have to use APIPA adresses on the LAN interface. "Block APIPA" is therefore disabled via config.-Rest of the setup:
LAN Network: 169.254.0.0/24 (pfsense LAN 169.254.0.254)
Tunnel Network: 172.28.0.0/24
Tunnel Remote Network: 192.168.0.0/16IPSec Tunnel is up
Binat on IPSec P2 is configured with "local subnet = 169.254.0.0/24" and NAT/Binat translation "network 172.28.0.0/24"
No further NAT rules are created ; NAT Outbound Mode is set to "disable outbound NAT"Testresults:
(1) Ping PFsense LAN from LAN Client and vice versa (169.254.0.1 <–> 169.254.0.254) works
(2) Ping PFSense Translated Tunnel IP from remote Network (192.168.x.y --> 172.28.0.254) works
(3) Ping LAN Client via Translated IP form remote Network (192.168.x.y --> 172.28.0.1) does not work
(4) Ping Remote Network from LAN Client (172.28.0.1 --> 192.168.x.y) does not workRelated packet captures:
(1) obviously icmp echo request and reply can be found in a LAN interface capture ;)(2)
capturing on the ipsec interface
icmp echo request 192.168.x.y --> 172.28.0.254
icmp echo reply 169.254.0.254 --> 192.168.x.yon the LAN interface both packets aren't captured
(3)
capturing on the ipsec interface:
echo request 192.168.x.y --> 172.28.0.1 without reply (Ping from remote network -> translated LAN client)Capturing on the LAN interface:
not a single packet captured(4)
capturing on the ipsec interface:
echo request 169.254.0.1 --> 192.168.x.y (Ping from LAN client -> remote network)capturing on the lan interface
echo request 169.254.0.1 --> 192.168.x.y (Ping from LAN client -> remote network)Both captures don't show a reply
I'm a little lost now what i can test and configure further on.
Any ideas where I am missing the point?Kind regards and thanks for any ideas :)