Pretty simple setup here: VLAN 900 can hit the remote subnet no problem, now we want VLAN 1000 to as well. Can't have multiple subnets in the child SA definition on Cisco so we need to NAT the VPN traffic from VLAN 1000 through VLAN 900. Sounds like exactly the setup described in this document (https://docs.opnsense.org/manual/how-tos/ipsec-s2s-conn-binat.html), but we can't get it working.
┌──────────────┐ ┌────────────────┐
│ │ │ │
│ VLAN 1000 │ │ VLAN 900 │
│ │ │ │
│ 10.10.0.0/24 │ │192.168.246.0/24│
│ │ │ │
└───────────┬──┘ └────┬───────────┘
│ │
│ │
┌───────▼─────────▼─────┐ ┌───────────────────────┐
│ │──────────IPsec Tunnel──────────────────│ │
│ Opnsense │ 192.168.246.0/24 <=> 192.168.241.0/24 │ Cisco │
│ │────────────────────────────────────────│ │
│ │ └──────────┬────────────┘
└───────────────────────┘ │
│
┌───────▼────────┐
│ │
│192.168.241.0/24│
│ │
└────────────────┘
We:
- edited the child SA with reqid 241
- added an SPD entry with reqid 241 and source network 10.10.0.0/24
- restarted the IPsec service
- confirmed the SPD entry is installed
- added a one-to-one NAT entry with interface IPsec, type BINAT, external network 192.168.246.0/24, source/internal 10.10.0.0/24, and destination 192.168.241.0/24
- applied changes
- confirmed configuration shows in `pfctl -s nat`
- confirmed outbound firewall rules for IPsec, VLAN 900, and VLAN 1000 will all pass any traffic
What am I missing here?
What are you trying to achieve exactly?
What you are doing here would move remote access from VLAN900 to VLAN1000. You cannot have bidirectional access to both subnets.
If you only need access to the remote site, but not the remote to your site, it should be possible to nat the VLAN1000 to a single unused IP within the 192.168.246.0/24. But to achieve this, you have to use NAT type "NAT" and state the NAT IP with a /32 mask.
Yes that's what I ended up doing last week. I took a /28 out of the DHCP pool for VLAN 900 and assigned it to NAT for the VLAN 1000 clients.
I guess I misunderstood the linked document; if I wanted to just move remote access from one VLAN to another, I'm not sure why one wouldn't just change the tunnel setup.
Quote from: miken32 on December 21, 2025, 10:23:35 PMYes that's what I ended up doing last week. I took a /28 out of the DHCP pool for VLAN 900
It's not possible to nat a /24 subnet to /28. This is not going to work at all.
Use a single IP (/32) and type "NAT" as suggested above.
Quote from: miken32 on December 21, 2025, 10:23:35 PMif I wanted to just move remote access from one VLAN to another, I'm not sure why one wouldn't just change the tunnel setup.
For instance, if you were not able to make changes on the remote site.