1:1 NAT my internal LAN subnet if going to VPN, normal NAT is going to internet



  • Okay, here's my situation..

    I have one PFSense box at home, i'll call it PF1.  To this I connected my internal LAN 192.168.0.0/24 and an internet connection. The internal LAN is NAT-ed for outside connections.

    From my PF1 firewall, I setup an IPSEC connection over the internet to another PFSense device in another location, i'll call it PF2.

    PF2 has a similar setup, a bunch of internal subnets using 10.x.x.x/24 subnets which are all NAT-ed to the outside world for internet connectivity.

    The IPSEC works fine, I can reach addresses on both sides etc..

    No for my uuhm challenge..  I want to setup my PF1 box in such a way that my internal 192.168.0.0/24 is represented to the PF2 box (through the IPSEC VPN) as 172.16.0.0/24.

    So if I ping a host behind PF2 from my local LAN with a source IP of 192.168.0.1 the receiving host behind PF2 will think it will come from 172.16.0.1. If one of the hosts behind PF2 wants to connect to the 1:1 NAT  ip 172.16.0.34 it will actually be talking to my internal 192.168.0.34

    so as far as PF2 and all networks behind it concerned, my internal LAN is 172.16.0.0/24 which will be natted to and from the 192.168.0.0/24 subnet/interface by my PF1 box.

    The 1:1 NAT should only work if I try to go to the PF2 site through my IPSEC tunnel.. If I stay internal it should remain 192.168.0.0/24 and if I go outside to the internet is should be nat overloaded behind my external IP.

    If have been trying to figure out how to do this in PFSense but cant get it to work. Anyone got this kind of scenario working ?



  • Why NAT? That makes no sense.

    You have different subnet at both sides. So just assign a static route at each pfSense to the networks of the other side using the IPSec tunnel (server or client address) as gateway and you're capable to access it with the real host addresses.



  • Hi Viragoman,

    You are quite right that it would work that way.. If the described parts were the only networks involved…
    However, the static routing situation you edscribe is not what my question was about..

    But to give you an idea about why i would want to do it this way... it is quite simple. I have been given a /24 network which falls in the IP ranges for the location i am connecting to. The ranges for this location are assigned to the location i connect too, as are the networks on the rest of the global locations for this particular network.

    I do not wish to route my internal subnet into the dynamic routing cloud of the company i connect to. There are strict route filters and distribution lists in place etc. Would be a lot of work which is just not worth it. Changing my internal network ip's to the subnet assigned would be another option, again, a lot of work. If i start working on another customers network the same thing might be needed again...

    so i would prefer to use the 1:1 NAT solution i described..  just map the network i'm assigned in a 1:1 NAT to my internal network and the allow whatever is needed on the firewall..

    So, me question remains..  How can i do this..  i read all kinds of posts and howto's about the NAT setup in pfsense but i cant find anything that even comes close to what i'm looking for.



  • You just configure the NAT in the P2 of the IPsec connection and it'll work as you describe.


Log in to reply