Matthias Niggemeier wrote:
Von: Chris Buechler [mailto:[email protected]]
Gesendet: Montag, 19. Juli 2010 23:05
An: [email protected]
Betreff: Re: [pfSense Support] NAT over VPN
On Mon, Jul 19, 2010 at 1:04 PM, Matthias Niggemeier <[email protected]> wrote:
Hi there,
I have to configure IPSec to a customers site using pfSense 1.2.3.
Normally
not a big problem, but this is the first time I need to do NAT over VPN;
i.e. the customer gives us only one ip address for the gateway, the rest
has
to be natted behind this.
As I searched through the list, I found that this is not possible with
pfSense. (still true?)
Yes. The only option, if you must use IPsec (OpenVPN can NAT no
problem), is to add a second firewall. It can be pfSense, usually when
we set this up we use a VM inside the network which handles the NAT,
then the primary firewall handles the IPsec. You just can't do both on
the same system because of the way IPsec processing functions in
FreeBSD.
Hm, the solution with pfsense in a VM would be fine. But the routing is a
bit unclear for me.
The NAT-IP the customer gave me has to be put in the local subnet field
(single host); lets say
188.120.55.55. How would I configure the second pfsense?
My local subnet is 192.168.1.0, the customers net is, lets say 172.16.1.0.
So I would I add the route to 172.16.1.0? It has to go through the second
pfsense, but with which
target address?
Regards
Matthias
In order for it to work, you would have to point the offsite pfSense at
the public ip address in front of the customer's pfSense. They would
have to port forward the traffic from the offsite pfSense. Plus the WAN
side of their pfSense would have to be on a different subnet from the
internal interface, otherwise routing would not work.
Messy at best and may or may not work. Requires testing!
Lyle
