Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec Overlapping Subnets

    Scheduled Pinned Locked Moved IPsec
    2 Posts 2 Posters 646 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      schulzie00
      last edited by

      Have a client that has 2 locations both running Pfsense.

      Site A 10.10.20.0/16
      Site B 10.10.50.0/24

      It would be easier to just fix the subnets, but client wants to keep using /16 because of equipment w/ static IPs moving between the 2 locations.

      I have established an IPSec tunnel using x.x.20.0/24 and x.x.50.0/24 and able to get through to anything coded with a /24 subnet on both sides but can't get to anything with a /16 address.

      I've ready through the Pfsense book and searched on google, but I haven't found a good example on how to handle the NAT/BINAT to allow the traffic to pass.

      Thanks,

      M 1 Reply Last reply Reply Quote 0
      • M
        mikee @schulzie00
        last edited by

        @schulzie00 BINAT is not so hard. The only thing that you have to take into account is that, from the point of view of the remote site the remote net you have to supply is the one you have used in the binat field and not the original one onf the LAN interface, so your phase II configuration must use this later one and rules must apply with this.

        Apart from this take into consideration that there will not be any matching rules between local IP addresses (those in the LAN Net space) and binat addresses so the remote site clients would not be able to contact servers in the binat side unless you configure a NAT static translation too.

        Hope this helps.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.