VPN Ipsec without gateway
-
I configured a site to site ipse vpn between two pfsense and everything works fine.
The PCs of the two firewalls are connected on both sides.
They asked me to connect a device in the LAN that doesn't have the possibility to set the gateway.
I would like to know if there is a configuration to do on pfsense (Nat Snat) that can work like the "route add" command from the device.
If the gateway or a special configuration on the pfsense is not set, I can't reach it from the other side of the vpn.
Thank you -
@provablueteam123 said in VPN Ipsec without gateway:
They asked me to connect a device in the LAN that doesn't have the possibility to set the gateway.
I would like to know if there is a configuration to do on pfsense (Nat Snat) that can work like the "route add" command from the device.SNAT / masquerading. There is no additional magic needed.
In pfSense the outbound NAT does this job.Ensure that the outbound NAT is in hybrid or manual mode. Add a rule:
interface: LAN
protocol: as you need
source: any or even the remote sites network
destination: the devices IP they want to access from remote
translation: interface address -
Thanks @viragomann
I'm in Italy, it's currently 11.30pm
I'll try it tomorrow morning when I'm in the office
Thank you -
@viragomann SNAT can’t be used here. Reason is that the client doesn’t have a gateway set. So can’t reach remote networks. I think using a DNAT actually may work. Client will target an address on the LAN(Virtual IP on pfsense) pfsense will answer the arp and change the destination address to whatever is configured (remote net).
-
@michmoor
As a got it, the respective device with gateway option should be accessed from the remote site. Here is SNAT the way to go.If the device should access the remote sites devices you need DNAT and assign virtual IPs for natting to pfSense.
-
@viragomann maybe I’m confused on the direction of the traffic. So client-a has no gateway and tries to reach out to client-b on remote network?
-
@michmoor said in VPN Ipsec without gateway:
So client-a has no gateway and tries to reach out to client-b on remote network?
This case would need DNAT and VIPs of course.
I was talking about accessing the client from B.
-
Thanks everyone for the replies.
This is the network design:
Thanks -
@provablueteam123
And what is the challenge?
If you've read our recent posts, you should see that the solution depends on if the device in B needs to access an IP at A or if site A needs to access the device at B. -
@viragomann
I have to access from a to b -
@provablueteam123 This is a basic SNAT, no? Not really seeing a challenge here.
-
@provablueteam123 said in VPN Ipsec without gateway:
@viragomann
I have to access from a to bSo this is how I understood your first post and I described the way to solve it in my first one already. Did you add the suggested outbound NAT rule yet?
-
@viragomann
The following configuration must be done on the PFSense a or b?Ensure that the outbound NAT is in hybrid or manual mode.
Add a rule:
interface: LAN
protocol: as you need
source: any or even the remote sites network
destination: the devices IP they want to access from remote
translation: interface addressThanks
-
@provablueteam123
On b, where the client who has no gateway resides.Without this, the device sees the origin source IP in the packets from the a LAN. Since he has no route, he cannot respond.
This rule translates the source IP in packets destined to the stated device IP into the LAN IP of pfSense. So the device sees IP which lies within his subnet and send responses back to pfSense, where they are forwarded to the other site. -
Kind of curious to know what sort of device that is that has no gateway.
Maybe it just has the wrong gateway.
Outbound NAT (SNAT) will work fine either way though.
Steve
-
@viragomann
I tried it works great
Thank you so much
