Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Still pretty mixed up on BiNAT over Phase 2 Tunnels
« previous
next »
Print
Pages: [
1
]
Author
Topic: Still pretty mixed up on BiNAT over Phase 2 Tunnels (Read 4899 times)
anomaly0617
Jr. Member
Posts: 50
Karma: 0
Still pretty mixed up on BiNAT over Phase 2 Tunnels
«
on:
March 06, 2018, 06:36:36 pm »
Hi there,
I'm still struggling to implement BiNAT over various IPSec Phase 2 tunnels. Here's how it's handled in pfSense:
Mode: Local Network
Type: LAN Subnet (Mine is 192.168.121.0/24)
Address: [Blank]
NAT/BiNAT Translation Type: Network
NAT/BiNAT Network: 172.16.254.0/24
Remote Network Type: Network
Remote Network Address: 172.16.246.0/24
So, whenever traffic goes out to the 246 network, it should appear to come from 172.16.254.[ip]
Whenever traffic comes in from the 246 network, it should appear to come from 172.16.246.[ip], even though on their end it's likely something like 192.168.1.[ip], and we have BiNAT set up there too.
Lastly (and most importantly) Whenever traffic comes goes out to the 10.0.143.0/24 network, it should appear to come from 192.168.121.0/24 because that is a branch office and it has no BiNAT defined in the Phase 2. There's no chance of a conflict and therefore no need to BiNAT.
If I try the same thing in OPNSense, it looks like this:
Mode: Tunnel IPv4
Description: Customer Name
Local Network Type: Network
Local Network Address: 172.16.246.0/24
Remote Network Type: Network
Remote Network Address: 172.16.254.0/24
Then I create a rule in Firewall >> Nat >> One to One
Interface: IPSec
External IP: 172.16.254.0/24
Internal IP: 192.168.121.0/24
Destination IP: * (Any)
... but this takes over all IPSec traffic going out and makes it appear to come from 172.16.254.0/24 in the firewall logs.
Is there a way to just set BiNAT settings in the Phase 2 settings and be done with it?
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: Still pretty mixed up on BiNAT over Phase 2 Tunnels
«
Reply #1 on:
March 06, 2018, 08:00:12 pm »
https://github.com/opnsense/docs/blob/master/source/manual/how-tos/ipsec-s2s-binat.rst
Franco, how often so you sync from GH to docs?
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
anomaly0617
Jr. Member
Posts: 50
Karma: 0
Re: Still pretty mixed up on BiNAT over Phase 2 Tunnels
«
Reply #2 on:
March 06, 2018, 11:09:11 pm »
This was EXACTLY the fix I needed. Thank you! Please update the documentation with the linked help?
Logged
franco
Administrator
Hero Member
Posts: 17656
Karma: 1610
Re: Still pretty mixed up on BiNAT over Phase 2 Tunnels
«
Reply #3 on:
March 07, 2018, 05:48:59 pm »
Jos will push an update, I'll let him know. It's not automated at the moment.
Cheers,
Franco
Logged
jschellevis
Administrator
Full Member
Posts: 156
Karma: 37
Re: Still pretty mixed up on BiNAT over Phase 2 Tunnels
«
Reply #4 on:
March 09, 2018, 11:56:27 am »
Apologies for the delay, had to fix some small formatting issues first.
Docs are now up to date :-)
Thanks to all commiters!
Cheers,
Jos
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Still pretty mixed up on BiNAT over Phase 2 Tunnels