Use NAT for destination outgoing address translation



  • Hi all,

    I'd search for this but I'm not even sure if there's a specific name for it.

    I have pfSense acting as a router between two NATs - one internal and one external. The external NAT is in turn connected to my ISP via a different (non-pfSense) NAT router. This is mostly irrelevant to the question though, as you'll see.

    My "internal internal" LAN range (the one pfSense routes for) is 172.16.100.0/24. My "internal" (the WAN from pfSense's perspective) network is 192.168.1.0/24.

    [INTERNET] –-> 100.1.2.3 [non pfSense router] 192.168.1.1 <–-[outside LAN]–-> 192.168.1.2 [pfSense router] 172.16.100.1 <–- [inside LAN]

    I configured L2TP/IPsec and got everything working. (This of course involved a static forward from my external IP via the main NAT router to the pfSense box.) My laptop is able to access any machine on the 172.16.100.0/24 LAN, and is able to route all of its traffic to the Internet via 172.16.100.1.

    Now, what I want to do is have a way to access the hosts on the 192.168.1.0/24 LAN while I'm using the VPN - but the catch is I need to be able to do that even if the local LAN I'm on also uses 192.168.1.0/24 for its IP range.

    To do this, I imagine using "destination outbound NAT." In other words:
    1. My laptop connects to the IPSec tunnel and receives the IP address 172.16.100.200.
    2. My laptop attempts to connect to 172.16.101.1 via the VPN.
    3. The pfSense firewall sees the request coming in via L2TP, translates the outgoing address to 192.168.1.1, and forwards it as normal.
    4. The NAT mapping would allow the session to proceed, with my laptop thinking that the machine located at 192.168.1.1 is actually located at 172.16.101.1.
    5. Similarly, if my laptop tries to connect to a service on 172.16.101.150, then it should actually get the services on the computer at 192.168.1.150.

    The "Outbound NAT" section in the firewall doesn't seem to offer this - it seems to mostly be useful if you're trying to control which source interface handles which destinations. The 1:1 mapping might be useful, but it seems like I'd have to add 254 rules to the table by hand - one for each possible IP on the 192.168.1.0/24 LAN.

    I know that I've been able to accomplish something like this using Linux iptables in the past, and now I want to try to achieve it using pfSense.

    Any advice?

    Thanks



  • @fmillion:

    The 1:1 mapping might be useful, but it seems like I'd have to add 254 rules to the table by hand - one for each possible IP on the 192.168.1.0/24 LAN.

    No. You can map a whole subnet with just one 1:1 NAT rule.

    E.g. if you enter 172.16.101.1 at External subnet IP and at Internal IP select Network, enter 192.168.1.1 below and select /24 for the mask. This way 172.16.101.1 will be translated to 192.168.1.1, 172.16.101.2 to 192.168.1.2 and so on.