1:1 NAT over OpenVPN
-
Hi everyone,
I am currently adding another site-to-site tunnel on my pfsense. I have a working IPsec tunnel and several OpenVPN tunnels working but the new remote site overlaps with the IPsec tunnel remote network.Main Site:
PfSense
10.4.0.0/16 LANSite A (IPsec):
PaloAlto
10.1.0.0/16 LANNew Site B (OpenVPN):
Mikrotik
10.1.100.0/24 LANTo circumvent this situation i tried to setup 1:1 NAT using https://docs.netgate.com/pfsense/en/latest/book/openvpn/nat-with-openvpn-connections.html
I only do 1:1 NAT at the Main Site because Remote Sites A and B must not communicate. The result looks like:Main Site:
PfSense
10.4.0.0/16 LAN
OpenVPN 192.168.97.18/30 (Client), Remote Network: 10.111.1.0/24
1:1 NAT: Ovpn-Interface, external: 10.111.1.0/24, internal: 10.1.100.0/24New Site B (OpenVPN):
Mikrotik
10.1.100.0/24 LAN
OpenVPN 192.168.97.17/30 (Server), Push Route: 10.111.1.0/24 (also tried 10.1.100.0/24)The Tunnel comes up fine and I can ping both endpoints from both sites but despite having the 1:1 NAT in place, when pinging e.g. 10.111.1.254 from the main site the remote firewall sees 10.111.1.254 and not 10.1.100.254.
It seems 1:1 NAT is not working properly and I can't figure out why?
Anyone has experience with this kind of setup ("one sided 1:1 NAT")?