OPNsense Forum
Archive => 21.1 Legacy Series => Topic started by: TXTad on March 02, 2021, 07:27:47 am
-
Hello!
I have an IPSec VPN established with NAT before IPSec working as described here: https://docs.opnsense.org/manual/how-tos/ipsec-s2s-binat.html
As a result, traffic that comes into my site appears to come from the far side 1:1 NAT that their addresses are translated to before the traffic enters the tunnel. Traffic that arrives at one of my private servers sees a "foreign" IP address making a request, and responses correctly end up back in the tunnel due to the straightforward routing rules that are implicitly created by this setup.
I also have other private networks on my side that I may need to route traffic to. These networks are in a different data center, but have different private networks, so routing handles the traffic between these data centers. However, this routing will drop any packet that has an IP on a network that the hosting company doesn't recognize. These leaves me unable to route traffic from this VPN to the other data center since the virtual network isn't one that the host accepts and I cannot change the virtual network IP range on my end because of considerations for the remote VPN host.
The 1:1 NAT uses an RFC 1918 subnet that I obtained from my hosting company specifically to use as the "Internal IP" network of the 1:1 NAT. I can assign IPs from this network to any server that is locally behind my OPNsense firewall and traffic flows as expected, though again with the tunnel remote IPs (the "Destination IP" network of the 1:1 NAT) being visible to the target server.
Anything I've tried to "double NAT" this traffic to another subnet, hoping to end up with the private subnet of the 1:1 NAT as the source IP hasn't worked. I've tried running a 1:1 NAT behind the first, as well as port forward NATs.
I'm not even sure what to call this to try to search for some answers, of even if there is some much better solution that I haven't considered.
Does anyone have any thoughts?
Thanks!
-
OK, so it looks like I am supposed to define a Single Gateway with the IP address of my far end peer. If I do that and attach it to the LAN interface, my pings now stop going out the internet, and just die in the firewall. I kinda think that might be progress.
I did not see a route in table for my IPSec tunnel, and I thought it said the system would make one.. so I did add a SDR for he 10.0.0.0/8 net going to my new gateway.
No more leaking of the 10 net space to my ISP, but no DECAPs on my Cisco router. Not sure how I see what is happening to my traffic on the OPNSense side. Is that BiNat being used?