1:1 NAT with IPSec configuration question



  • Hey there,

    got a "special" setup for a Lab Setup where I need to 1:1 NAT Ipsec Tunnel IPs to the LAN Interface network.
    The special one here is, that I have to use APIPA adresses on the LAN interface. "Block APIPA" is therefore disabled via config.-

    Rest of the setup:

    LAN Network: 169.254.0.0/24  (pfsense LAN 169.254.0.254)
    Tunnel Network: 172.28.0.0/24
    Tunnel Remote Network: 192.168.0.0/16

    IPSec Tunnel is up
    Binat on IPSec P2 is configured with "local subnet = 169.254.0.0/24" and NAT/Binat translation "network 172.28.0.0/24"
    No further NAT rules are created ; NAT Outbound Mode is set to "disable outbound NAT"

    Testresults:
    (1) Ping PFsense LAN from LAN Client and vice versa (169.254.0.1 <–> 169.254.0.254) works
    (2) Ping PFSense Translated Tunnel IP from remote Network (192.168.x.y --> 172.28.0.254) works
    (3) Ping LAN Client via Translated IP form remote Network (192.168.x.y --> 172.28.0.1) does not work
    (4) Ping Remote Network from LAN Client (172.28.0.1 --> 192.168.x.y) does not work

    Related packet captures:
    (1) obviously icmp echo request and reply can be found in a LAN interface capture ;)

    (2)
    capturing on the ipsec interface
    icmp echo request 192.168.x.y --> 172.28.0.254
    icmp echo reply 169.254.0.254 --> 192.168.x.y

    on the LAN interface both packets aren't captured

    (3)
    capturing on the ipsec interface:
    echo request 192.168.x.y --> 172.28.0.1 without reply    (Ping from remote network -> translated LAN client)

    Capturing on the LAN interface:
    not a single packet captured

    (4)
    capturing on the ipsec interface:
    echo request 169.254.0.1 --> 192.168.x.y  (Ping from LAN client -> remote network)

    capturing on the lan interface
    echo request 169.254.0.1 --> 192.168.x.y  (Ping from LAN client -> remote network)

    Both captures don't show a reply

    I'm a little lost now what i can test and configure further on.
    Any ideas where I am missing the point?

    Kind regards and thanks for any ideas :)


Log in to reply