1:1 NAT over OpenVPN



  • Hi everyone,
    I am currently adding another site-to-site tunnel on my pfsense. I have a working IPsec tunnel and several OpenVPN tunnels working but the new remote site overlaps with the IPsec tunnel remote network.

    Main Site:
    PfSense
    10.4.0.0/16 LAN

    Site A (IPsec):
    PaloAlto
    10.1.0.0/16 LAN

    New Site B (OpenVPN):
    Mikrotik
    10.1.100.0/24 LAN

    To circumvent this situation i tried to setup 1:1 NAT using https://docs.netgate.com/pfsense/en/latest/book/openvpn/nat-with-openvpn-connections.html
    I only do 1:1 NAT at the Main Site because Remote Sites A and B must not communicate. The result looks like:

    Main Site:
    PfSense
    10.4.0.0/16 LAN
    OpenVPN 192.168.97.18/30 (Client), Remote Network: 10.111.1.0/24
    1:1 NAT: Ovpn-Interface, external: 10.111.1.0/24, internal: 10.1.100.0/24

    New Site B (OpenVPN):
    Mikrotik
    10.1.100.0/24 LAN
    OpenVPN 192.168.97.17/30 (Server), Push Route: 10.111.1.0/24 (also tried 10.1.100.0/24)

    The Tunnel comes up fine and I can ping both endpoints from both sites but despite having the 1:1 NAT in place, when pinging e.g. 10.111.1.254 from the main site the remote firewall sees 10.111.1.254 and not 10.1.100.254.

    It seems 1:1 NAT is not working properly and I can't figure out why?

    Anyone has experience with this kind of setup ("one sided 1:1 NAT")?


Log in to reply