NAT LAN through IPSec tunnel
scott last edited by
I have a scenario in which I need to establish an IPSec tunnel with a customer that does not allow local networks with private address spaces (which, of course, ours is). I have successfully established a test tunnel with pfSense that looks like:
Local Subnet: 146.145.a.b/32 <- IP address of pfSense WAN Interface
Remote Subnet: 10.10.10.0/24 <- Customer's subnet
And, as expected, from the Diagnostics->Ping, I can successfully bring up the tunnel and ping addresses in the 10.10.10.0/24 address space.
What I would like to do now is one of two things (whichever works and is easy to implement):
- Route all traffic from our private LAN to 10.10.10.0/24 through the tunnel, NAT'ing the traffic to the WAN interface address (146.145.a.b) in the process
- Create a virtual IP address in the LAN that does acts as a SNAT to the WAN interface and DNAT to an IP in the customer's address space
Are either of these two possible with pfSense? I've spent quite a bit of time reading through forums and it appears to me as if one of these should work, but for all my tinkering I haven't been able to make it happen.
Any help you could provide would be greatly appreciated!
jeroen234 last edited by
vpn's are for binding 2 or more networks
so there is no nat between them
scott last edited by
Unless you are bridging over the IPSec interface, then technically the tunnel itself is just another route through a virtual interface (even though it may not be actually implemented that way) and therefore doesn't seem (to me) any more-or-less suitable for NAT'ing; I've done this sort of configuration through PIX firewalls, as well as directly on Linux with OpenVPN+iptables, and Solaris with OpenVPN+ipf before. In fact, one of the nice features I like of the PIX was the ability to do 1:1 NAT'ing to expose a single IP address on the remote network into the LAN as a LAN address, so the host looked like a local resource.
However, to your point, what I am asking is for the bridging of the VPN tunnel to the LAN be treated exactly the same as the LAN and the WAN.
That is, have the tunnel defined as a single address (/32) (the virtual "WAN"), but have a LAN behind that address NAT'ing through the tunnel.
Thanks for the reply.
cmb last edited by
Others have asked about this a few times in the past, and numerous times on the m0n0wall list, and nobody has ever been able to find a solution. It's certainly a desirable feature, if you can find a way to implement it I'm sure patches would be accepted.