OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • Virtual private networks »
  • One-to-One NAT in IPsec to individual IPs not working - confusing
« previous next »
  • Print
Pages: [1]

Author Topic: One-to-One NAT in IPsec to individual IPs not working - confusing  (Read 330 times)

advanced-user

  • Newbie
  • *
  • Posts: 4
  • Karma: 0
    • View Profile
One-to-One NAT in IPsec to individual IPs not working - confusing
« on: August 22, 2024, 12:52:08 pm »
Hello everyone,


I am now a proud user of the latest OPNsense business edition. I have already managed to overcome a few configuration hurdles and am looking forward to putting the firewall into productive operation.

Before this is possible, I need a one-to-one NAT (no BINAT) to NAT packets arriving from an IPsec tunnel to the correct internal IP. Since the names of the fields are confusing and I have already tested the variants that seem plausible to me, and it is still not possible to use the VPN route, I don't seem to have figured something out yet.

An experienced user can probably help me quickly. Thanks in advance.

The scenario is that a site-to-site VPN IPsec connection is used with a fakenet, as there is a subnet overlap between the two IPsec partners.
For example, the remote side should access the (real) local IP: 192.168.30.200 from the subnet 10.80.1.0/24. In the VPN tunnel, the subnet 192.168.99.0/24 is used as a fake network instead of the subnet 192.168.30.0/24 (i.e. according to the IPsec config: remote: 10.80.1.0/24 - local: 192.168.99.0/24). In the end, it should be possible to reach a defined internal IP address for a defined IP in the 99 network.

I have been testing for days now and still don't understand why the traffic is not allowed through. I have read the KB article from the manual and the one or other forum post on 1:1 NAT, but it doesn't quite fit my case, so I'm hoping for support this way.

The tunnel is set up and the (byte) counter for incoming packets is counting up. So far so good.

I suspect the problem is with the 1:1 NAT rule:
As Interface I have selected “IPsec”, As “Type”: Nat, under External network (Target): 192.168.30.200, as Source / Internal: 10.80.1.0/24 and under Destination: 192.168.99.200

A firewall rule builds itself automatically, so I don't expect a problem.

I'm wondering about the names of the individual fields (External Network or Source / Internal) - which is which? Does anyone have any idea what I am doing wrong, or how to create such a one-to-one NAT rule correctly? (Where is the secret?).
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • Virtual private networks »
  • One-to-One NAT in IPsec to individual IPs not working - confusing
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2