NAT LAN through IPSec tunnel

  • I have a scenario in which I need to establish an IPSec tunnel with a customer that does not allow local networks with private address spaces (which, of course, ours is).  I have successfully established a test tunnel with pfSense that looks like:

    Interface: WAN
    Local Subnet: 146.145.a.b/32    <- IP address of pfSense WAN Interface
    Remote Subnet:  <- Customer's subnet

    And, as expected, from the Diagnostics->Ping, I can successfully bring up the tunnel and ping addresses in the address space.

    What I would like to do now is one of two things (whichever works and is easy to implement):

    1. Route all traffic from our private LAN to through the tunnel, NAT'ing the traffic to the WAN interface address (146.145.a.b) in the process
    2. Create a virtual IP address in the LAN that does acts as a SNAT to the WAN interface and DNAT to an IP in the customer's address space

    Are either of these two possible with pfSense?  I've spent quite a bit of time reading through forums and it appears to me as if one of these should work, but for all my tinkering I haven't been able to make it happen.

    Any help you could provide would be greatly appreciated!


  • vpn's are for binding 2 or more networks
    so there is no nat between them

  • Unless you are bridging over the IPSec interface, then technically the tunnel itself is just another route through a virtual interface (even though it may not be actually implemented that way) and therefore doesn't seem (to me)  any more-or-less suitable for NAT'ing; I've done this sort of configuration through PIX firewalls, as well as directly on Linux with OpenVPN+iptables, and Solaris with  OpenVPN+ipf before. In fact, one of the nice features I like of the PIX was the ability to do 1:1 NAT'ing to expose a single IP address on the remote network into the LAN as a LAN address, so the host looked like a local resource.

    However, to your point, what I am asking is for the bridging of the VPN tunnel to the LAN be treated exactly the same as the LAN and the WAN.
    That is, have the tunnel defined as a single address (/32) (the virtual "WAN"), but have a  LAN behind that address NAT'ing through the tunnel.

    Thanks for the reply.

  • Others have asked about this a few times in the past, and numerous times on the m0n0wall list, and nobody has ever been able to find a solution. It's certainly a desirable feature, if you can find a way to implement it I'm sure patches would be accepted.

Log in to reply