PFSense NAT 1:1 IPs over VPN



  • Hi all, been using PFSense for a long time and I'm a huge fan.

    We have two locations, A and B. Location A has a large WAN subnet assigned to it, while location B does not.

    We are moving computers from location A to location B. They currently have different IPs assigned to them. The goal is to have two or more computers hosted in location B to tunnel traffic through to location A and have location A NAT them different WAN IPs.

    Right now the computers are simply connected to the WAN via a switch and have static IPs assigned to them, let's say it looks like this:

    0_1542904124307_a0fa1b43-1380-4bb3-a942-98a5f9128a27-image.png

    Using the numbers above, we want to move them to location B and tunnel "1.1.1.2" and "1.1.1.3" to those PCs via the VPN. This has proven challenging.

    I assumed I could not just transit WAN IPs over the VPN and would need to NAT the traffic. So the idea then would be:

    0_1542905208017_0ecf9c0b-266f-4068-b27d-0ca31a0280aa-image.png

    The only way I could see to route this would be through VTI tunnelling, which I was happy to see is now supported.

    I created a test computer on site B. I set up a VPN connection and created a VTI Phase 2 tunnel. I created a local static route on either side to either subnet. Then I created a firewall rule piping all traffic through the VTI tunnel gateway for the test computer.

    I can now confirm that traffic on the test computer is routed from site B over to Site A and given IP 1.1.1.1. that's where my success ends.

    Setting it up I was sorry to see that 1:1 NAT is flagged as 'fishy' in the latest release. Sure enough if I try and change NAT to any virtual IP I just loose connectivity immediately.

    Is there anything I can try or any additional suggestions anyone would have? Is what I'm experienced a known issue at this point or should I expect that to work?



  • I thought I'd try to RTFM on doing this via a tunnel interface rather than VTI as per https://www.netgate.com/docs/pfsense/vpn/ipsec/routing-internet-traffic-through-a-site-to-site-ipsec-vpn.html
    I had not realized you could pipe 0.0.0.0/0 through a VPN tunnel.

    This config works without any issue, and considering the warning on the site: "There are also known issues with NAT, notably that NAT to the interface address works but 1:1 NAT or NAT to an alternate address does not work." - I would assume that this is a VTI limitation. Still if anyone has any additional info on this it'd be interesting to know.