Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PFSense NAT 1:1 IPs over VPN

    Scheduled Pinned Locked Moved NAT
    2 Posts 1 Posters 407 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      phil_ccc
      last edited by

      Hi all, been using PFSense for a long time and I'm a huge fan.

      We have two locations, A and B. Location A has a large WAN subnet assigned to it, while location B does not.

      We are moving computers from location A to location B. They currently have different IPs assigned to them. The goal is to have two or more computers hosted in location B to tunnel traffic through to location A and have location A NAT them different WAN IPs.

      Right now the computers are simply connected to the WAN via a switch and have static IPs assigned to them, let's say it looks like this:

      0_1542904124307_a0fa1b43-1380-4bb3-a942-98a5f9128a27-image.png

      Using the numbers above, we want to move them to location B and tunnel "1.1.1.2" and "1.1.1.3" to those PCs via the VPN. This has proven challenging.

      I assumed I could not just transit WAN IPs over the VPN and would need to NAT the traffic. So the idea then would be:

      0_1542905208017_0ecf9c0b-266f-4068-b27d-0ca31a0280aa-image.png

      The only way I could see to route this would be through VTI tunnelling, which I was happy to see is now supported.

      I created a test computer on site B. I set up a VPN connection and created a VTI Phase 2 tunnel. I created a local static route on either side to either subnet. Then I created a firewall rule piping all traffic through the VTI tunnel gateway for the test computer.

      I can now confirm that traffic on the test computer is routed from site B over to Site A and given IP 1.1.1.1. that's where my success ends.

      Setting it up I was sorry to see that 1:1 NAT is flagged as 'fishy' in the latest release. Sure enough if I try and change NAT to any virtual IP I just loose connectivity immediately.

      Is there anything I can try or any additional suggestions anyone would have? Is what I'm experienced a known issue at this point or should I expect that to work?

      1 Reply Last reply Reply Quote 0
      • P
        phil_ccc
        last edited by

        I thought I'd try to RTFM on doing this via a tunnel interface rather than VTI as per https://www.netgate.com/docs/pfsense/vpn/ipsec/routing-internet-traffic-through-a-site-to-site-ipsec-vpn.html
        I had not realized you could pipe 0.0.0.0/0 through a VPN tunnel.

        This config works without any issue, and considering the warning on the site: "There are also known issues with NAT, notably that NAT to the interface address works but 1:1 NAT or NAT to an alternate address does not work." - I would assume that this is a VTI limitation. Still if anyone has any additional info on this it'd be interesting to know.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.