Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
24.7 Production Series
»
SNAT for traffic through route based VPN (VTI) ?
« previous
next »
Print
Pages: [
1
]
Author
Topic: SNAT for traffic through route based VPN (VTI) ? (Read 499 times)
zemanek
Newbie
Posts: 18
Karma: 0
SNAT for traffic through route based VPN (VTI) ?
«
on:
October 04, 2024, 11:40:59 am »
Hello,
I have setup route based VPN named T1 according to
https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route.html
:
Local VTI address: 10.101.177.2
Remote VTI address: 10.101.177.1
OPNsense WAN address: 10.100.177.10/24
This created interface T1, I created gateway using this interface with IP 10.101.177.1 and added route to 10.0.1.0/24 through this gateway.
Now when I PING a host in 10.0.1.0/24 from the OPNsense , I can see in packet capture that packets going into the VPN have source IP address 10.101.177.2 (local VTI address).
I need them to have source IP address 10.100.177.10. How do I do that? I tried setting SNAT for the T1 interface to have WAN interface address for anything going to 10.0.1.0/24 but that didn't help.
Logged
Monviech (Cedrik)
Global Moderator
Hero Member
Posts: 1614
Karma: 176
Re: SNAT for traffic through route based VPN (VTI) ?
«
Reply #1 on:
October 04, 2024, 01:06:22 pm »
You need to set tunables to change the filter behavior of ipsec.
https://docs.opnsense.org/manual/vpnet.html#route-based-vti
Please note that you can ONLY have either filtering and nat on enc0 (which is shown as IPsec in the GUI), OR on ipsecX interfaces.
Logged
Hardware:
DEC740
zemanek
Newbie
Posts: 18
Karma: 0
Re: SNAT for traffic through route based VPN (VTI) ?
«
Reply #2 on:
October 04, 2024, 02:01:19 pm »
Thanks. I missed that. So I set those tunables. Now the ICMP does not even get into the VPN. I also noticed
Warning
Currently it does not seem to be possible to add NAT rules for if_ipsec(4) devices.
So I guess I am out of luck here...
Logged
Monviech (Cedrik)
Global Moderator
Hero Member
Posts: 1614
Karma: 176
Re: SNAT for traffic through route based VPN (VTI) ?
«
Reply #3 on:
October 04, 2024, 02:53:34 pm »
https://forum.opnsense.org/index.php?topic=36254
Read this whole thread and a lot of your questions will be answered.
Logged
Hardware:
DEC740
viragomann
Full Member
Posts: 198
Karma: 7
Re: SNAT for traffic through route based VPN (VTI) ?
«
Reply #4 on:
October 04, 2024, 04:49:13 pm »
Quote from: zemanek on October 04, 2024, 11:40:59 am
I need them to have source IP address 10.100.177.10.
Why?
This would lead into asymmetric routing.
Logged
zemanek
Newbie
Posts: 18
Karma: 0
Re: SNAT for traffic through route based VPN (VTI) ?
«
Reply #5 on:
October 07, 2024, 12:41:42 pm »
@Monviech
Doesn't work for me. It seems that if I enable SNAT for the ipsec interface (using WAN address as source IP) it is sending testing ICMP packets through WAN interface and not through ipsec interface as it should according to route table.
Logged
zemanek
Newbie
Posts: 18
Karma: 0
Re: SNAT for traffic through route based VPN (VTI) ?
«
Reply #6 on:
October 07, 2024, 04:08:22 pm »
Well, I looked at configuration XML and found that there are some references to nonexistent ipsec interfaces. As I previously encountered an issue with configuration of older OPNsense version / other instance with mixed up configuration after numerous experiments, I decided to do a factory reset and configure everything from scratch.
But now whenever I apply new IPsec connection, I loose ALL connectivity to the OPNsense instance (I have to do a factory reset via the console).
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
24.7 Production Series
»
SNAT for traffic through route based VPN (VTI) ?
