Hi
I have the problem, that we have two subnet with destination 192.168.2.0/24, one is direct connected to OPNsense (26.01), the other via IPSec:
LAN1: 10.16.5.254/24
LAN2: 192.168.2.3/24
IPSec destination: 192.168.2.0/24
The hosts in the LAN2 subnets should see the hosts from LAN1 with the GW IP 192.168.2.3, reachable from 10.16.5.0 subnet with 192.168.22.0 and no communication back to 10.16.5.0, so only one-way.
The hosts on remote subnet via IPSec must be reachable from LAN1, but not from LAN2 with 192.168.2.0 addresses, also from the remote 192.168.2.0 subnet, the 10.16.5.0 hosts must be reachable.
I try 1:1 NAT, Outgoing NAT, Destination NAT and some combinations of then, Filter roles with and without gateways, no luck. At the most of the configurations, the traffic goes via IPSec, but not to LAN2 or was not NATed.
Any hints are welcome.
Thanks a lot
Ivo
Renumber one of the locations.
:-) Hehe, would be nice if I can do that.
This is only the little top of the the whole network. Many routes, many tunnels at all the gateways, crossing the whole Europe...
You can translate (nat) the remote subnet into something else, but this must be done on the remote site.
With overlapping subnets locally and in the IPSec policy, routing is not going to work at all.
Quote from: ivoruetsche on March 25, 2026, 01:33:10 PM:-) Hehe, would be nice if I can do that.
This is only the little top of the the whole network. Many routes, many tunnels at all the gateways, crossing the whole Europe...
Then NOW is THE MOMENT to fix poor network design decisions and make sure you won't encounter issues in the future! ;)
You could try some small adjustments to the DHCP Pool/Subnet size and/or try Split-Horizon OSPF Routing options, but I am not sure if it would help at all to be honest...
It's a bit frustrated to get such replays where are not that constructive. I wouldn't post and invest a lot of try and error time if the solution is that easy like to change the subnet.
This has a reason why I can't change the numbering and sometimes it's just a fact.
Thanks a lot
Ivo
I tried to give constructive infos and recommendations though.
Again: Natting on your site is no option to solve this.
Quote from: ivoruetsche on March 25, 2026, 06:05:38 PMI wouldn't post and invest a lot of try and error time if the solution is that easy like to change the subnet.
But what if it is this time ?!
It's simply the way Routing works and when you have got two similar/same subnets and try to route between them then there is no reliable way to determain where the traffic should go...
NAT is the only way to do this if it works at all with OPNsense. I'd get a local specialist or some remote support. I have some vague ideas, but nothing I could write into a recipe that works over a medium like a forum.
The regular recommendation any network professional will give you is: renumber the side where that is the least pain.
Quote from: viragomann on March 25, 2026, 06:20:22 PMI tried to give constructive infos and recommendations though.
Again: Natting on your site is no option to solve this.
Yes, that's true, thank you.
Quote from: Patrick M. Hausen on March 25, 2026, 10:00:45 PMNAT is the only way to do this if it works at all with OPNsense
Sure, this is possible as I wrote, but no NAT thorough the remote side, the NAT should be on the LAN2 interface.