Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT problem, multiple subnets and VPN tunnel

    Scheduled Pinned Locked Moved NAT
    1 Posts 1 Posters 853 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      norrman
      last edited by

      I cannot get this setup to work. Either I am doing some wrong or it is just not possible.

      2 pfSense, one as main router (A) och a separate one for IPSEC-tunnels (B). both running 2.1.5-RELEASE

      Main router has multiple VLANs on the inside (as well as WAN and DMZ on separate NICs).
      Main internal subnet is 192.168.2.0/24 (192.168.2.1 as IP).

      The other pfSense (tunnels) has an internal IP of 192.168.2.83 and an external IP in the DMZ.
      I already have multiple tunnels up and running.
      Normally we add all internal networks (VLANs on main router) to the phase 2 on each tunnel and add static routes
      on the A pointing to 192.168.2.83. B also has static routes pointing to 192.168.2.1 for relevant subnets.
      This works fine (no problems).

      Now I have a new tunnel where I cannot add all the internal nets to the tunnel since those IP-ranges already are
      used on the remote site.
      I have set up a new VLAN [VLAN_303] (10.215.225.0/24) on A and added static routes to B.
      Remote side of the tunnel is 10.118.10.0/24

      The network 10.215.225.0/24 has no problem reaching 10.118.10.0/24.

      But I also need clients in 192.168.2.0/24 to reach 10.118.10.0/24.

      I tried to add a NAT (I am already using "AON - Advanced Outbound NAT"):
      IF: VLAN_303, Source 192.168.2.0/24, Destination 10.118.10.0/24, NAT Address: 10.215.225.1

      But this doesn't seem to work? The traceroute just bounces the traffic between 192.168.2.1 and 192.168.2.83
      and a traffic dump on the IPSEC-interface on B shows that the pings are comming from (for example) 192.168.2.50 and not
      10.215.225.1.

      "Bypass firewall rules for traffic on the same interface" is set but it didn't make any differens when
      I unset this.

      Any thoughts?

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.