Site to site with same subnet is this possible?



  • I have been doing a lot of searching and found little to nothing. So i am sorry if this has been asked before but i can't find it. Please help if you are able to and thanks in advance.

    We are trying to set up a tunnel between two separate locations with the same lan subnet.  We are using 2 pfsense 2.01 boxes to do this. Is this a possibility? If so can you provide direction or links to the direction to shed some light on this. Thanks to all in advance.  ;D



  • If by "same LAN subnet" you mean address conflict (e.g. both sites' LANs use 192.168.1.0/24) then you'd need "NAT before IPsec".

    It is currently not possible to do NAT before IPsec on pfSense (it's a limitation of pf), but one could use 2 pfsense systems, one for NAT and another one for IPsec.


  • Rebel Alliance Developer Netgate

    You can do that sort of NAT with OpenVPN, but not IPsec. You'd have to address the remote side IPs as though they were in a different subnet, so it doesn't really save you any convenience.

    If you have no conflicting IPs at all, just the same subnet, a bridge may be possible, but never recommended.

    You could save yourself a lot of headaches by just renumbering one side though.



  • headache is what we do at our office;p. Would you have a link to the open vpn set up? Thanks to all for the info.



  • Hello everybody :-)

    We just have the same problem here:
    We are moving to a new datacenter and temporarily need to "connect" the old and the new datacenter to transfer some important files.
    At first I thought: "Hey that will be easy, simply use the pfSense in the old and in the new datacenter and connect them via VPN" but as it seems, this is not so easy :-/

    Can anybody give us a hint how to temporarily "enlarge" our internal LAN from DC1 to DC2?

    LAN in DC1 (10.0.2.X) –> pfSense1 --> INTERNET ---> pfSense2 ---> LAN in DC2 (10.0.2.X)

    Any hints here?
    How could that "bridge" that jimp bentioned be realized?

    Thanks a lot and best regards,

    Chris



  • @jimp:

    You can do that sort of NAT with OpenVPN, but not IPsec. You'd have to address the remote side IPs as though they were in a different subnet, so it doesn't really save you any convenience.

    If you have no conflicting IPs at all, just the same subnet, a bridge may be possible, but never recommended.

    You could save yourself a lot of headaches by just renumbering one side though.

    Hi jimp,
    i can confirm that with OpenVPN, nat (snat) before ovpn tunnel works perfectly.
    As reported in pfSense 2.0 features and in a lot of forum's threads, NAT before IPSEC is not supported yet (maybe in 2.1 version).

    Looking for a solutions for my issue, I've read your post ( http://forum.pfsense.org/index.php/topic,36119.msg186468.html#msg186468 ) and some tips speaking about multiple pfs box (one for NAT, one for IPSEC), to workaround NAT before IPSEC.

    Im my scenario, I have multiple ipsec tunnel to remote sites with overlapping subnets ( i.e. 192.168.1.0/24).

    MyIP: 1.1.1.1
    MyLocalHost: 10.123.1.10
    MyLocalSubnet: 10.123.1.0/24
            |
    <<ipsec tunnel1="">>
            |
    RemoteSite1: 2.2.2.2
    RemoteSubnet1: 192.168.1.0/24
    RemoteHostInSubnet: 192.168.1.10

    MyIP: 1.1.1.1
    MyLocalSubnet: 10.123.1.0/24
            |
    <<ipsec tunnel2="">>
            |
    RemoteSite2: 3.3.3.3
    RemoteSubnet2: 192.168.1.0/24
    RemoteHostInSubnet: 192.168.1.10

    As you can see, subnet overlap is only in remote sites, not between local&remotesite. How to reach host in different remote sites but with the same ip&subnet from myLocalHost? Multiple pfs box can help me in this scenario?

    Thank a lot
    SierraBravo

    </ipsec></ipsec>


Log in to reply