[Updated] Site to Multisite with identical subnets at remote locations. $300

  • I would appreciate at least a response. Yes is doable.  No impossible!  I posted a link in IPSEC as to what I am looking for.  I was told that pfSense cannot do this.  I was wondering if this is a feature that could be added.  I posted $200.  Honestly I don't know how much this feature would cost so if I am off, let me know what would be an appropriate price.

    See message below:

    I am looking at implementing a solution to manage all of my customers servers and resources with an enterprise monitoring application.  I need to create VPN tunnels to each remote site.  My problem is that some of the sites have the same subnets and I cannot change them. I was wondering if there was a way to make a customers pfsense translate their subnet into a different subnet so that I can communicate with them.  I have done this with a Cisco vpn-3000 concentrator and was hoping there was a solution for connecting multiple sites to one location where some of the remote sites might have identical subnets.

    Ex. 1:    Notice customer 1 and 3 have the same subnet.

    Ex. 2:   Customer 3 has translated their subnet into a different subnet so that there is not a conflict for Operations to communicate with both sites simultaneously.

    Here is an example of how a Cisco VPN concentrator does this:

    Notice how it translates the network

    By the way…I did the diagram using Network Notepad which is free of charge at www.networknotepad.com



  • So long as the none of the subnets are not the same as your you are fine.  I have one VPN server with mulitple clients, several of which use the standard 192.168.0.x or 192.168.1.x setup at home, since I use a 10.x.x.x subnet there is never any problem.  All of their packets for my network are routed thru the VPN.  If you wanted them to access network in the same subnet as their own is the only time it will never work, because they will always look locally and never anywhere else.

    I have a working PfSense box and can help you out.  It is VERY robust, I used it to replace a NETGEAR ProSafe VPN box that was timing out.  Ever since I installed the PfSense box there has not been an issue.

    PfSense ROCKS!!!!!!!!!!!!!!!!!!!!!!!!!!

  • it seems a 1:1 NAT for a network block would be in order. I think this type of NAT is already possible. I'm just not certain the VPN tunnels will all succesfully establish.


  • They won't.  IPSec policy happens before NAT on the external interface.  At this point I don't think it's possible to have identical subnets on both sides of a tunnel (or tunnels to multiple devices that all have the same subnet).  Also, enc0 won't help us here, same reason…ipsec policies happen when the packet traverses the kernel, enc0 is either to early or too late depending on which direction you talk about.


  • In the past Cisco was using a trick to perform this type of "multisite in the same network". They were creating GRE tunels over the VPN connection and then using the good subnet over the GRE tunnel. The fact was GRE was allowing them to use GRE interface as routing interface so the central VPN hub could know each route to each site….. But this was many years ago... I do not know if it is still the case....I doubt so.
    I have already done a similar work on a linux central hub, using ipsec roadwarrior connection and then GRE tunnels over the ipsec vpn and a lot a route entries ;-). At the end I had many site (20 schools), all using the same subnet, all able to communicate each other....
    This type of architecture needs a lot a work....I would not do it again ;-)

  • Hi TorrentSaint,

    I too am interested in the setup graphically depicted above.  I see you say you're running vpn connections to your network where the remote sites have the same subnet as each other.  This seems like it work for traffic originating from their side to yours, however, how does it work for traffic originating from your side attempting to travel to a specific network on the other side?  Are you able to ping devices on both networks? And if so, what happens if their are two devices with the same ip address?

    Also, along with the same question that was originally asked, has anyone else attempted this or been successful through additional static routes etc?


  • I just tested the setup with a pfsense unit on 192.168.10.x and two remotes at 192.168.12.x and while the tunnels establish, the route only works on the first tunnel that connects.


Log in to reply