Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    One-way NAT over IPSec?

    Scheduled Pinned Locked Moved NAT
    6 Posts 4 Posters 5.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      ttblum
      last edited by

      Hello,

      I apologize if this question is over-asked but I didn't see it in the FAQ.

      I understand that only pfSense 2.0 supports 1:1 NAT over an IPSEC tunnel, and that version 2.0 is not yet considered production-ready.

      Is it possible to do just a one-way NAT over an IPSEC tunnel in version 1.2.3?  My branch offices need to access servers at my datacenter and the branch offices' LAN subnets overlap, but my datacenter servers don't need to access any resources at the branch offices.

      Thanks,

      Todd

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Actually NAT+IPsec is still not possible even on 2.0. If you have overlapping subnets and you are forced to use IPsec, you'll need to setup a second box to translate through, like so:

        Main Firewall, IPsec tunnel between "fixed" subnet and remote site, LAN interface as usual, second internal interface on the "fixed" subnet.
        Second "VPN" firewall sitting on the "fixed" subnet on its "WAN" connected to the main firewall. LAN subnet is the same as the LAN side of the main firewall, but a different IP. This box's job is just to translate between subnets.
        Main firewall gets a static route that points traffic headed for the remote subnet to the VPN router instead, which should make the NAT happen, and then when the NAT goes out via the main firewall it's on the right subnet, will match the IPsec SPD, and go over the tunnel as you like.

        That method should work on 1.2.3 or 2.0.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • T
          ttblum
          last edited by

          Hello,

          OK.  Is NAT+OpenVPN also not possible with one pfSense machine?

          Thanks,

          Todd

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            NAT+OpenVPN works fine, you can NAT in either direction. To NAT outbound, just assign the OpenVPN interface as an OPT interface, and then you can do whatever you like with it, it acts like a separate WAN.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • B
              bozo
              last edited by

              @jimp:

              NAT+OpenVPN works fine, you can NAT in either direction. To NAT outbound, just assign the OpenVPN interface as an OPT interface, and then you can do whatever you like with it, it acts like a separate WAN.

              Can confirm this but had huge issues doing so because I was tricked by nat/state table keeping the state of my icmp to some invalid destination even though the openvpn went up and down.

              What I had to do was create a script that flushes only the states between my source subnet and the destination subnets on the other side of the openvpn tunnel, and run it on pfsense client openvpn advanced configuration section like this:
              route-up "/usr/local/bin/FlushOpenVPN-Nat"

              the script is simply like this:
              #!/bin/sh

              /sbin/pfctl -k 192.168.254.0/24 -k 172.20.0.0/16
              /sbin/pfctl -k 192.168.254.0/24 -k 172.30.0.0/16
              /sbin/pfctl -k 192.168.254.0/24 -k 10.31.0.0/16

              1 Reply Last reply Reply Quote 0
              • C
                chunlinyao
                last edited by

                @jimp:

                Actually NAT+IPsec is still not possible even on 2.0. If you have overlapping subnets and you are forced to use IPsec, you'll need to setup a second box to translate through, like so:

                Main Firewall, IPsec tunnel between "fixed" subnet and remote site, LAN interface as usual, second internal interface on the "fixed" subnet.
                Second "VPN" firewall sitting on the "fixed" subnet on its "WAN" connected to the main firewall. LAN subnet is the same as the LAN side of the main firewall, but a different IP. This box's job is just to translate between subnets.
                Main firewall gets a static route that points traffic headed for the remote subnet to the VPN router instead, which should make the NAT happen, and then when the NAT goes out via the main firewall it's on the right subnet, will match the IPsec SPD, and go over the tunnel as you like.

                That method should work on 1.2.3 or 2.0.

                Maybe this post will give some tips about implements it in one box
                http://fixunix.com/bsd/87865-nat-ipsec-openbsd-pf-isakmpd.html

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.