Routing with VPN.
-
Hello. I have a LAN with some server behind pfsense.
WAN 1.2.3.4
LAN 192.168.168.0/24
OPT1 (wireguard) 10.10.10.0/24LAN servers, for customers, available only via VPN. And all was well until one customer came in. He's connecting to the VPN from his LAN. He's LAN have addresses 192.168.0.0/255.255.0.0 and all packets routing via local gateway 192.168.0.1.
I've already racked my brain on how I should set up routing so it can access our LAN.
-
@BLOKevin
Best practice would be that he change his subnet range. Does he really need a /16?. If so he should use another range in the 10.0.0.0/8 anyway.If he doesn't want to change you could 1:1 nat the network, so that he needs to call for instance 10.171.45.23 if he want to access 192.168.168.23 on your site.
-
@viragomann, did I understand correctly - I need to create a separate tunnel for it and route it 1:1 to which gateway?
-
@BLOKevin
No the tunnel is not the point, since it does not overlap the customers LAN. It's your LAN that is overlapping. Hence his client device cannot route traffic to you.
To workaround you have to translate your LAN subnet into something else (from the point of the VPN client).To do so go to Firewall > NAT > 1:1 and create a rule on OPT1:
External subnet IP: Single host - 10.171.45.0
Internal IP: LAN netWith this, the VPN clients can access your LAN devices with 10.171.45. + the last octet of your real LAN IP or with the real IP alternatively.
For your devices nothing changes.
-
V viragomann referenced this topic on
-
@viragomannб I'll try to implement it. Thanks for the advice!
-
J jarlel referenced this topic on