NAT config for connecting two LANs via VPN
I have 10.100.4.0/24 on the LAN interface on my local pfSense (site1). I configured a VPN client pfSense-site1 that connects to a pfSense-site2. The VPN connection works and I can see all the new routes that are pushed from site2 to site1 in Diagnostics -> Routes. One of them is:
10.10.0.0/16 is the LAN subnet on site2
192.168.102.0/24 is the VPN subnet.
From the pfSense on site1 (Diagnostics -> Ping) I can ping machines in 10.10.0.0/16. I added a static route on my workstation in 10.100.4.0/24 which looks like this:
ip route add 10.10.0.0/16 via 10.100.4.1 dev enp5s0f0
But I still cannot ping 10.10.0.1 from 10.100.4.0/24. I tried adding NAT rules in Firewall -> NAT -> Outbound but nothing I tried so far worked. I created an interface for the VPN connection and all the traffic is allowed.
Here are my questions:
What configuration I need in order all machines in LAN on site1 (10.100.4.0/24) to be able to connect to the LAN on site2 (10.10.0.0/16) via the VPN connection?
Once the first step is done, is there a way to push these routes automatically to all machines in LAN-site1 (10.100.4.0/24)?
From the pfSense on site1 (Diagnostics -> Ping) I can ping machines in 10.10.0.0/16.
Also try to ping with source = LAN address.
I added a static route on my workstation in 10.100.4.0/24 which looks like this:
So pfSense on site1 is not the default gateway?
But the site2 pfSense is the default gateway in 10.10.0.0/16?
pfSense on site 1 is the default gw for its LAN - 10.100.4.1.
pfSense on site 2 is also the default gw for its LAN - 10.10.0.0/16. Pretty standard config. One VPN between them.
It works! It turns out I had to restart the VPN connection after the NAT configuration. This invalidated all my tests from yesterday. Now I just removed all VPN related outbound NAT mappings, created the outbound NAT mapping I think I needed, restarted the VPN client and it works! I was on the right track the whole time, I just had to restart the VPN. A little embarrassing but I learned something new after all.
The outbound NAT mapping that I needed goes like this:
Interface: the VPN client interface
Source: the LAN subnet: 10.100.4.0/24
Source port: *
Destination port: *
If the endpoints are the default gateways there are no additional routs necessary on the clients.
Maybe it a firewall problem. Also consider the firewall on the destination machine.
Try the ping from pfSense with LAN address as source.
The outbound NAT rule you've added is just a workaround for those firewall issue.
With that NAT rule you're not able to determine where the access comes from on the destination device. However, maybe that's no issue for you.
You are right. I missed to mention one detail. My workstation is a little different than the rest of the computers in the network. My eth0 is in another network and my eth1 is in LAN on pfSense site1. Also my default gw is not the pfSense site 1. This is why I needed the additional routing but the rest of the machines don't. Thanks for catching this.