Text only | Text with Images

OPNsense Forum

English Forums => Virtual private networks => Topic started by: ivoruetsche on March 25, 2026, 12:03:34 PM

Title: NATing LAN2, but not IPSec tunnel with the same subnet range
Post by: ivoruetsche on March 25, 2026, 12:03:34 PM
Hi

I have the problem, that we have two subnet with destination 192.168.2.0/24, one is direct connected to OPNsense (26.01), the other via IPSec:

LAN1: 10.16.5.254/24
LAN2: 192.168.2.3/24
IPSec destination: 192.168.2.0/24

The hosts in the LAN2 subnets should see the hosts from LAN1 with the GW IP 192.168.2.3, reachable from 10.16.5.0 subnet with 192.168.22.0 and no communication back to 10.16.5.0, so only one-way.

The hosts on remote subnet via IPSec must be reachable from LAN1, but not from LAN2 with 192.168.2.0 addresses, also from the remote 192.168.2.0 subnet, the 10.16.5.0 hosts must be reachable.

I try 1:1 NAT, Outgoing NAT, Destination NAT and some combinations of then, Filter roles with and without gateways, no luck. At the most of the configurations, the traffic goes via IPSec, but not to LAN2 or was not NATed.

Any hints are welcome.

Thanks a lot
Ivo
Title: Re: NATing LAN2, but not IPSec tunnel with the same subnet range
Post by: Patrick M. Hausen on March 25, 2026, 12:25:39 PM
Renumber one of the locations.
Title: Re: NATing LAN2, but not IPSec tunnel with the same subnet range
Post by: ivoruetsche on March 25, 2026, 01:33:10 PM
:-) Hehe, would be nice if I can do that.

This is only the little top of the the whole network. Many routes, many tunnels at all the gateways, crossing the whole Europe...
Title: Re: NATing LAN2, but not IPSec tunnel with the same subnet range
Post by: viragomann on March 25, 2026, 03:21:22 PM
You can translate (nat) the remote subnet into something else, but this must be done on the remote site.

With overlapping subnets locally and in the IPSec policy, routing is not going to work at all.
Title: Re: NATing LAN2, but not IPSec tunnel with the same subnet range
Post by: nero355 on March 25, 2026, 05:07:34 PM
Quote from: ivoruetsche on Today at 01:33:10 PM:-) Hehe, would be nice if I can do that.

This is only the little top of the the whole network. Many routes, many tunnels at all the gateways, crossing the whole Europe...
Then NOW is THE MOMENT to fix poor network design decisions and make sure you won't encounter issues in the future! ;)

You could try some small adjustments to the DHCP Pool/Subnet size and/or try Split-Horizon OSPF Routing options, but I am not sure if it would help at all to be honest...
Title: Re: NATing LAN2, but not IPSec tunnel with the same subnet range
Post by: ivoruetsche on March 25, 2026, 06:05:38 PM

It's a bit frustrated to get such replays where are not that constructive. I wouldn't post and invest a lot of try and error time if the solution is that easy like to change the subnet.

This has a reason why I can't change the numbering and sometimes it's just a fact.

Thanks a lot

Ivo
Text only | Text with Images