Any way to mimic a different LAN network address space for VPN?



  • I don't know how to phrase this question, because I don't know the proper lingo, therefore my apologies if it's already answered, as I don't know how to search it…

    I need to create a VPN with the company where I work. The admin at work says that we cannot create a VPN with my current LAN network space, because he already has a VPN with another site that uses all of 192.168.x.x, I don't know if this is even true, but assuming it is...

    Is there a way I can make my network appear as being say: 10.0.0.0/8 or something else to this VPN connection?

    Under VPN -> IPsec , I'm referring to the "Local Net" setting. I've been told that I can use anything in 10.x.x.x/x , but I don't want to redo my entire LAN to accomodate this.

    My current segments attached to my PFsense are as follows

    WAN: External IP address issued via DHCP by ISP #1, static IP address
    WAN2: 192.168.2.0/24 to DSL router for ISP #2
    LAN: 192.168.4.0/24
    WLAN: 192.168.5.0/24 serving as a sort of "blue" segment
    LAN2: 192.168.1.0/24
    and 1 Unused Interface

    Have mid-level knowledge about basic NAT and rules, but totally in the dark about this one...
    or if the solution depends on the admin at my place of work, please give me some idea as to what I should tell him.



  • Depending on how big your own network is it might be easier to change your local subnet.
    Have your admin at work propose where he wants your subnet to be.

    Having said that, I think it's not a good idea to set your subnet to 10/8. This would allocate the whole range which I doubt you actually need.
    Something like 10/24 should be sufficient (you still have 254 host addresses available).

    Spoofing your subnet range for the tunnel cannot be done, IMHO.



  • What you are trying to do is a policy NAT and I have also inquired about this and was told it is not possible.

    So your options are limited, you can see if your admin will configure his tunnel to a smaller subnet and not use an entire /16 which is a lot of ip addresses and i bet very few are even being used.  Your other option is to change your IP Scheme as was suggested.  If you only have 1 machine that needs access or just a few, you could add another NIC to your computer on the LAN and another one to pfsense and configure a tunnel for that 1 host.

    Hope this helps.  Best of luck.



  • I have seen this issue before. I have delt with it in two ways.  I had my vendor change the internal private network since he only had a few machines.  The other way we addressed it was that we actually set up a second firewall.  We added a second nic to a few machines and created a vlan on a switch and then patched those machines into the second network and did not bridge them.  It was just a short term solution until we could get the ip addresses changed on his end.

    RC



  • This is being addressed on 1.3.


Locked