OPNsense Forum
English Forums => General Discussion => Topic started by: anomaly0617 on March 06, 2018, 06:36:36 pm
-
Hi there,
I'm still struggling to implement BiNAT over various IPSec Phase 2 tunnels. Here's how it's handled in pfSense:
Mode: Local Network
Type: LAN Subnet (Mine is 192.168.121.0/24)
Address: [Blank]
NAT/BiNAT Translation Type: Network
NAT/BiNAT Network: 172.16.254.0/24
Remote Network Type: Network
Remote Network Address: 172.16.246.0/24
So, whenever traffic goes out to the 246 network, it should appear to come from 172.16.254.[ip]
Whenever traffic comes in from the 246 network, it should appear to come from 172.16.246.[ip], even though on their end it's likely something like 192.168.1.[ip], and we have BiNAT set up there too.
Lastly (and most importantly) Whenever traffic comes goes out to the 10.0.143.0/24 network, it should appear to come from 192.168.121.0/24 because that is a branch office and it has no BiNAT defined in the Phase 2. There's no chance of a conflict and therefore no need to BiNAT.
If I try the same thing in OPNSense, it looks like this:
Mode: Tunnel IPv4
Description: Customer Name
Local Network Type: Network
Local Network Address: 172.16.246.0/24
Remote Network Type: Network
Remote Network Address: 172.16.254.0/24
Then I create a rule in Firewall >> Nat >> One to One
Interface: IPSec
External IP: 172.16.254.0/24
Internal IP: 192.168.121.0/24
Destination IP: * (Any)
... but this takes over all IPSec traffic going out and makes it appear to come from 172.16.254.0/24 in the firewall logs.
Is there a way to just set BiNAT settings in the Phase 2 settings and be done with it?
-
https://github.com/opnsense/docs/blob/master/source/manual/how-tos/ipsec-s2s-binat.rst
Franco, how often so you sync from GH to docs?
-
This was EXACTLY the fix I needed. Thank you! Please update the documentation with the linked help?
-
Jos will push an update, I'll let him know. It's not automated at the moment.
Cheers,
Franco
-
Apologies for the delay, had to fix some small formatting issues first.
Docs are now up to date :-)
Thanks to all commiters!
Cheers,
Jos