Outbound Nat to VIP for certain destinations

  • Hello,

    Maybe anyone can help about this.
    First of all the environment:

    –  (LAN2) -- VPN Router1 -- (INET) -- VPN Router -- customer1 Subnets
    (LAN1) -- pfSense 1.2.3/no def.GW on this IF -- (LAN2-VIP) -- VPN Router2 -- (INET) -- VPN Router -- customer2 Subnets

    Because of subnet overlapping i would like to NAT for certain destination subnets (customer2) on pfSense interface LAN2.
    So i created a virtual IP (Proxy ARP) on LAN2
    I created a static Route to customer2 subnets via LAN2-VIP, and outbound-nat for LAN1 to LAN2-VIP.

    The Problem:
    LAN2-VIP is not reachable (from VPN Router2) and the static route does not appear in routing table.

    What did i wrong ? Any ideas ?

    Thank you in advance

  • Hello,

    okay, found out that it is not possible for the pfsense to use VIPs internally (as described in the wiki).

    so i configured a secondary ip on the LAN2 Interface (edited the config file). Now i can see my static routes in the routertable
    but packets leave the LAN2 interface are not either natted to this secondary ip nor the interface (primary) ip.
    reboot had no improvement.

    want to nat the lan subnet to the secondary ip of the opt interface for certain destination subnets. is this possible ?

    anyone any idea ?

    thank you in advance

  • It's definitely possible in 2.x. I don't recall for sure offhand whether it was in 1.2x, but pretty sure it is there too.

  • Hello,

    thank you for your reply. it works only sometimes (without configuration changes !).
    sometimes it sends via secondary ip then the destination is reachable, but sometimes
    it seems that it tries to send via the wan interface (then i cant see any packet in the log of my vpn router).
    i can't figure it out why …

    do you have any suggestion ?

    thank you in advance

  • Hello,

    May be it is interesting for anybody who has the same challenge. Finally i got it to work, when i additionally configured a vip with the same
    address as the secondary to have the possibility to select it in the outbound nat configuration as the nat address.

    best regards

Log in to reply