1:1 Nat blocks internet access
-
We have an IPsec VPN to our vendor. This is working correctly. For the vendor we also need to use a 1:1 Nat rule to transpose our internal IP to the IP address needed by our vendor. When the 1:1 Nat rule is enabled workstations loose access to the Internet. The vendor reports this is because they are going over the VPN for Internet which is not going to work. The vendor reports we need "policy based Nat". Also in the 1:1 Nat rule I see an option for "Destination". Might this option resolve the issue?
-
@crispycritter
What exactly are your trying to achieve with the NAT 1:1?
Why should the workstations upstream traffic should be routed over the IPSec? This is done by phase 2, NAT doesn't route anything. -
@viragomann What we achieve with the Nat 1:1 is the ability for a single IP address on our network to communicate across the VPN to a single IP address on the vendors network. This is needed since both or our networks have the same IP scheme. The vendor has assigned specific IP addresses that we can use for the Nat. However we need a method to only route the traffic that is going to the vendor while allowing other traffic (Internet) to route normally to the gateway.
-
@crispycritter
This kind of NAT must be done in the IPSec phase 2: https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/phase-2-nat.htmlAlso the routing is done in the phase 2. IPSec routes the whole upstream traffic to the remote site if your p 2 remote network is 0.0.0.0.