NAT problem, multiple subnets and VPN tunnel



  • I cannot get this setup to work. Either I am doing some wrong or it is just not possible.

    2 pfSense, one as main router (A) och a separate one for IPSEC-tunnels (B). both running 2.1.5-RELEASE

    Main router has multiple VLANs on the inside (as well as WAN and DMZ on separate NICs).
    Main internal subnet is 192.168.2.0/24 (192.168.2.1 as IP).

    The other pfSense (tunnels) has an internal IP of 192.168.2.83 and an external IP in the DMZ.
    I already have multiple tunnels up and running.
    Normally we add all internal networks (VLANs on main router) to the phase 2 on each tunnel and add static routes
    on the A pointing to 192.168.2.83. B also has static routes pointing to 192.168.2.1 for relevant subnets.
    This works fine (no problems).

    Now I have a new tunnel where I cannot add all the internal nets to the tunnel since those IP-ranges already are
    used on the remote site.
    I have set up a new VLAN [VLAN_303] (10.215.225.0/24) on A and added static routes to B.
    Remote side of the tunnel is 10.118.10.0/24

    The network 10.215.225.0/24 has no problem reaching 10.118.10.0/24.

    But I also need clients in 192.168.2.0/24 to reach 10.118.10.0/24.

    I tried to add a NAT (I am already using "AON - Advanced Outbound NAT"):
    IF: VLAN_303, Source 192.168.2.0/24, Destination 10.118.10.0/24, NAT Address: 10.215.225.1

    But this doesn't seem to work? The traceroute just bounces the traffic between 192.168.2.1 and 192.168.2.83
    and a traffic dump on the IPSEC-interface on B shows that the pings are comming from (for example) 192.168.2.50 and not
    10.215.225.1.

    "Bypass firewall rules for traffic on the same interface" is set but it didn't make any differens when
    I unset this.

    Any thoughts?


Log in to reply