Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT / IPSec - Several sites interconnection puzzle

    Scheduled Pinned Locked Moved NAT
    5 Posts 2 Posters 622 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      Bruno Rodrigo
      last edited by Bruno Rodrigo

      Hello,
      I have the following scenario and I’m completely stuck on how to solve this puzzle. I’ll try to simplify the case and stay macro as the bellow topology cannot be changed because of business restrictions.
      We have two LANs in two different sites. SITE 1 and SITE 2 are connected through these two firewalls, FW1 and FW2 using an IPSEC tunnel. All routing works just fine, both sites can communicate seamless.

      SITE 1: 10.100.1.0/24
      Default Gateway: FW1 - 10.100.1.1 (full internet connectivity)
      This is an old IPCOP and can’t be upgraded/changed/substituted at the moment.

      SITE 2: 10.99.1.0/24
      Default Gateway: FW2 - 10.99.1.1 (full internet connectivity)
      PFSense 2.4.4

      So this is my present scenario and it works well.

      0_1541008815983_VPN Scenario-Page-2.png

      Now we need to provide a client access to a resource on SITE 2 through an IPSEC tunnel and this tunnel needs to stay on SITE 1 for business reasons. For several reasons the client can’t establish the VPN connection with the IPCOP so I added another firewall to the scenario (FW3).
      So now we have this scenario.

      0_1541008931666_VPN Scenario-Page-3.png

      As this is the first time I deal with case like this, I'm very confused with the options and how to achieve this with PFSense.

      I’m trying to have the packets arriving SITE 1 through the tunnel established between the client and FW3 to have some kind of source NAT so they can “belong” to the network 10.100.1.0/24 so they could be routed seamless to SITE 2. Is this possible? What is the best practice (if there is one) for this case? How FW3 should be configured for this scenario?
      FW1 is almost immutable, so the chances to have something changed there are very small.
      I really appreciate your help.
      Regards,
      Bruno

      1 Reply Last reply Reply Quote 0
      • B
        Bruno Rodrigo
        last edited by

        Any one?

        1 Reply Last reply Reply Quote 0
        • B
          Bruno Rodrigo
          last edited by

          So I believe there is no solution for this scenario using PFSense. Is this right?

          1 Reply Last reply Reply Quote 0
          • B
            Bruno Rodrigo
            last edited by

            One last try... Is this an impossible approach?
            Does anyone knows how to solve this?

            Thanks.

            K 1 Reply Last reply Reply Quote 0
            • K
              Konstanti @Bruno Rodrigo
              last edited by Konstanti

              @bruno-rodrigo said in NAT / IPSec - Several sites interconnection puzzle:

              One last try... Is this an impossible approach?
              Does anyone knows how to solve this?

              Hey
              what are the phase 2 settings FW3<-> client ?
              I'm interested in leftsubnet/rightsubnet
              what are the phase 2 settings FW1<-> FW2 ?
              I'm interested in leftsubnet/rightsubnet
              which default gateway is FW3 ?
              10.100.1.3 can ping 10.99.1.1 or any other host 10.99.1.0/24?

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.