Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VPN Ipsec without gateway

    Scheduled Pinned Locked Moved General pfSense Questions
    16 Posts 4 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      provablueteam123
      last edited by

      I configured a site to site ipse vpn between two pfsense and everything works fine.
      The PCs of the two firewalls are connected on both sides.
      They asked me to connect a device in the LAN that doesn't have the possibility to set the gateway.
      I would like to know if there is a configuration to do on pfsense (Nat Snat) that can work like the "route add" command from the device.
      If the gateway or a special configuration on the pfsense is not set, I can't reach it from the other side of the vpn.
      Thank you

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @provablueteam123
        last edited by

        @provablueteam123 said in VPN Ipsec without gateway:

        They asked me to connect a device in the LAN that doesn't have the possibility to set the gateway.
        I would like to know if there is a configuration to do on pfsense (Nat Snat) that can work like the "route add" command from the device.

        SNAT / masquerading. There is no additional magic needed.
        In pfSense the outbound NAT does this job.

        Ensure that the outbound NAT is in hybrid or manual mode. Add a rule:
        interface: LAN
        protocol: as you need
        source: any or even the remote sites network
        destination: the devices IP they want to access from remote
        translation: interface address

        P M 2 Replies Last reply Reply Quote 1
        • P
          provablueteam123 @viragomann
          last edited by

          Thanks @viragomann
          I'm in Italy, it's currently 11.30pm
          I'll try it tomorrow morning when I'm in the office
          Thank you

          1 Reply Last reply Reply Quote 0
          • M
            michmoor LAYER 8 Rebel Alliance @viragomann
            last edited by

            @viragomann SNAT can’t be used here. Reason is that the client doesn’t have a gateway set. So can’t reach remote networks. I think using a DNAT actually may work. Client will target an address on the LAN(Virtual IP on pfsense) pfsense will answer the arp and change the destination address to whatever is configured (remote net).

            Firewall: NetGate,Palo Alto-VM,Juniper SRX
            Routing: Juniper, Arista, Cisco
            Switching: Juniper, Arista, Cisco
            Wireless: Unifi, Aruba IAP
            JNCIP,CCNP Enterprise

            V 1 Reply Last reply Reply Quote 0
            • V
              viragomann @michmoor
              last edited by

              @michmoor
              As a got it, the respective device with gateway option should be accessed from the remote site. Here is SNAT the way to go.

              If the device should access the remote sites devices you need DNAT and assign virtual IPs for natting to pfSense.

              M 1 Reply Last reply Reply Quote 0
              • M
                michmoor LAYER 8 Rebel Alliance @viragomann
                last edited by

                @viragomann maybe I’m confused on the direction of the traffic. So client-a has no gateway and tries to reach out to client-b on remote network?

                Firewall: NetGate,Palo Alto-VM,Juniper SRX
                Routing: Juniper, Arista, Cisco
                Switching: Juniper, Arista, Cisco
                Wireless: Unifi, Aruba IAP
                JNCIP,CCNP Enterprise

                V 1 Reply Last reply Reply Quote 0
                • V
                  viragomann @michmoor
                  last edited by

                  @michmoor said in VPN Ipsec without gateway:

                  So client-a has no gateway and tries to reach out to client-b on remote network?

                  This case would need DNAT and VIPs of course.

                  I was talking about accessing the client from B.

                  P 1 Reply Last reply Reply Quote 0
                  • P
                    provablueteam123 @viragomann
                    last edited by

                    Thanks everyone for the replies.
                    This is the network design:Disegno2.jpg
                    Thanks

                    V 1 Reply Last reply Reply Quote 0
                    • V
                      viragomann @provablueteam123
                      last edited by

                      @provablueteam123
                      And what is the challenge?
                      If you've read our recent posts, you should see that the solution depends on if the device in B needs to access an IP at A or if site A needs to access the device at B.

                      P 1 Reply Last reply Reply Quote 1
                      • P
                        provablueteam123 @viragomann
                        last edited by

                        @viragomann
                        I have to access from a to b

                        M V 2 Replies Last reply Reply Quote 0
                        • M
                          michmoor LAYER 8 Rebel Alliance @provablueteam123
                          last edited by

                          @provablueteam123 This is a basic SNAT, no? Not really seeing a challenge here.

                          Firewall: NetGate,Palo Alto-VM,Juniper SRX
                          Routing: Juniper, Arista, Cisco
                          Switching: Juniper, Arista, Cisco
                          Wireless: Unifi, Aruba IAP
                          JNCIP,CCNP Enterprise

                          1 Reply Last reply Reply Quote 0
                          • V
                            viragomann @provablueteam123
                            last edited by

                            @provablueteam123 said in VPN Ipsec without gateway:

                            @viragomann
                            I have to access from a to b

                            So this is how I understood your first post and I described the way to solve it in my first one already. Did you add the suggested outbound NAT rule yet?

                            1 Reply Last reply Reply Quote 0
                            • P
                              provablueteam123
                              last edited by

                              @viragomann
                              The following configuration must be done on the PFSense a or b?

                              Ensure that the outbound NAT is in hybrid or manual mode.
                              Add a rule:
                              interface: LAN
                              protocol: as you need
                              source: any or even the remote sites network
                              destination: the devices IP they want to access from remote
                              translation: interface address

                              Thanks

                              V 1 Reply Last reply Reply Quote 0
                              • V
                                viragomann @provablueteam123
                                last edited by

                                @provablueteam123
                                On b, where the client who has no gateway resides.

                                Without this, the device sees the origin source IP in the packets from the a LAN. Since he has no route, he cannot respond.
                                This rule translates the source IP in packets destined to the stated device IP into the LAN IP of pfSense. So the device sees IP which lies within his subnet and send responses back to pfSense, where they are forwarded to the other site.

                                P 1 Reply Last reply Reply Quote 0
                                • stephenw10S
                                  stephenw10 Netgate Administrator
                                  last edited by

                                  Kind of curious to know what sort of device that is that has no gateway.

                                  Maybe it just has the wrong gateway.

                                  Outbound NAT (SNAT) will work fine either way though.

                                  Steve

                                  1 Reply Last reply Reply Quote 0
                                  • P
                                    provablueteam123 @viragomann
                                    last edited by

                                    @viragomann
                                    I tried it works great
                                    Thank you so much

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.