moving from pfsense to opnsense looking for where to put local network/nat/binat

[sanni2005]

moving from pfsense to opnsense looking for where to put local network/nat/binat/remote see screenshot
in opnsense

i think in nat but im confused as to why or what is missing to make it work

Thanks in advaNCE

[viragomann]

Your local network is 172.0.0.0/8???
This embraces some public ranges! Apart from that, I don't think, you really need a /8.

Anyway, you can do this with a legacy tunnel IPSec p2 and a NAT One-to-one rule.

Configure a p2 with 192.168.136.103/32 as local network.

Then add a NAT One-to-one rule:
Interface: IPSec
Type: NAT
External network: 192.168.136.103/32
Source: your local network
Destination: remote network

[sanni2005]

in the p2 do i need the remote
i have the info local as the 192.
10.21.0.0  as remote?

i added the ipsec nat you mentioned but cant reach 10.21.6.# im supposed to able to

do i need firewalls rules, open 500,4500,esp etc .. i thought i read that in a forum somehow

[viragomann]

In the p2 you should have
local: 192.168.136.103/32
remote: 10.21.0.0/16

do i need firewalls rules, open 500,4500,esp etc .. i thought i read that in a forum somehow

Rules are needed on the WAN for incoming IPSec connections. But maybe OPNsense adds these automatically.
You can display the automac rules on the WAN rule page to ensure.

[sanni2005]

no rules in rules-ipsec nothing

it reads no rules are defined, all incoming blocked ...

do u have any suggestions or advice
thanks in advance

[viragomann]

I'd assume, that you don't want to allow any incoming traffic.
Access from the remote site to your site will not be able anyway, since your p2 connects a remote network to a single address on your site.
This setup only allows access to the remote site. And rules for this are needed on the remote only. That's the same on pfSense.

On your OPNsense you only need to allow the traffic on the incoming interface, LAN or whichever.

[sanni2005]

Do you mean the ipsec traffic on the lan ..

The internet works we can even vpn in but we would open the ip like in web browser but it will in pfsense see the instance say server as an example but even with everything added, surfs up but no access to the server in opnsense ..so not sure what im missing.

I understand you only have some info not all but anything you can think to check or change im working to fiqure this out. Thx in advance,

[viragomann]

I don't understand, what your problem now.

To avoid talking about cross purposes, I think, you should better explain, what you try to achieve in fact.
You just posted a screenshot of an P2 with BINAT on pfSense and asked, how to achieve this on OPNsense. And I supplied an answer on this. But if this does not provide satisfaction you have to give some more details about the setup and what you intend.

What do you try to achieve?
What are the local and the remote subnets (all)?
How is your p2 configured?
How did you configure the NAT rule?
How is the remote p2 configured?
Are proper firewall rules added?
Is the connection already established properly?

[sanni2005]

sorry for the long delay in replying

could you please look this over and let me know if you see any issues or wrong setup details

IPSEC details

   Phase 1 Configuration:
        Remote Gateway: 207.219.39.1 (Your local gateway).
        Authentication Method: pre-shared key
        My Identifier: 142.127.82.151
        Peer Identifier: 207.219.39.1
           

    Phase 2 Configuration:
        Local Network:
            10.21.0.0/16 (remote network behind the gateway).
        Remote Network:
            192.168.136.210/32 and 192.168.2.0/24 (local subnet + NAT IP for the tunnel).

NAT Configuration:

    Navigate to Firewall → NAT → Outbound.
    Set to Hybrid Mode
           
 Add two outbound NAT rules:
            Rule 1:
                Interface: WAN
                Source: 10.21.0.0/16
                Destination: 192.168.2.0/24
                Translation/Target: None (disable NAT for this traffic).
            Rule 2:
                Interface: WAN
                Source: 10.21.0.0/16
                Destination: 192.168.136.210/32
                Translation/Target: None.



Firewall → Rules → IPsec.

            Action: Pass
            Source: 192.168.136.210/32
            Destination: 10.21.0.0/16
       
            Action: Pass
            Source: 192.168.2.0/24 (lan)
            Destination: 10.21.0.0/16 (remote)

   
    Firewall → Rules → WAN.

    Action: Pass
    Interface: WAN
    Protocol: UDP
    Source: Any (or restrict to the remote gateway )
    Destination: WAN Address (the public IP )
    Destination Ports:
        500 (UDP): For IKE (IPsec negotiation).
        4500 (UDP): For NAT-T (NAT traversal, if applicable).
    Description: Allow IPsec traffic.

(Optional) ESP Protocol Rule:

            Protocol: ESP
        Source: Any (or restrict to 142.127.82.151).
        Destination: WAN Address.
        Description: Allow ESP traffic.

    Firewall → Rules → LAN.

    Action: Pass
    Interface: LAN
    Protocol: Any
    Source: 192.168.2.0/24 (your local LAN network).
    Destination: 10.21.0.0/16 (the remote network).
    Description: Allow LAN to IPsec traffic.
   
for my openvpn access

Firewall → Rules → OpenVPN.
    Action: Pass
    Source: OpenVPN subnet (192.168.10.0/24).
    Destination: 10.21.0.0/16.

 
i had it all routing to the wrong ip so i stopped did a bunch more research and rule reading and looked at pfsense and what you said
and thats what i think i need

Thanks in advance for any help

[viragomann]

Without knowing, what's the local network and what's the remote and which IP you need to nat to, there is nothing, I could suggest.

At least, the outbound NAT rules on WAN are pretty useless. There will be no traffic to the private subnets routed out, hence the rules do nothing.

[sanni2005]

i thought you see the numbers from my samples sorry i was not clearer

local lan 192.168.2.0/24
phase 1 ipsec ike properties ip address 207.219.39.1
phase 2 remote networks 10.21.0.0/16
source nat ip 192.168.136.210/32
remote vpn gateway 142.127.82.151

do u need my public ip
and earlier i mentioned vpn, just simply we are going to use this from local lan and thru a vpn

thanks again i appreciate your help

[viragomann]

We don't need to know your public IPs here. It's sufficient if you use aliases for your site and the remote site.

But since you possibly have a routing problem across the IPSec, we need to know the local subnets on both, your site and remote and as well the IPSec settings of both.

[sanni2005]

 ipsec phase ip 207.219.39.1 with a vpn gateway pf 142.127.82.151 source nat ip 192.168.1036.210/32 this the local subnet when building the tunnel and the source nat remote network ip is 10.21.0.0/16 .. local lan ip is 192.168.2.0

traffic from your local network (192.168.2.0/24) and the source NAT IP (192.168.136.210/32) destined for the remote network (10.21.0.0/16) is routed through the IPsec tunnel established with the remote gateway (142.127.82.1510


when you say ipsec settings
phase 1 ike properties
ip address 207.219.39.1
key exchange 256bit aes
data - sha-384
dh-group - group20(384-bit ecp)

phase2
256 bit aes
data - sha-384
perfect forward secrecy: enabled
dh-group -group20(384-bit ecp)

[sanni2005]

based on your previous post

Anyway, you can do this with a legacy tunnel IPSec p2 and a NAT One-to-one rule.

Configure a p2 with 192.168.136.103/32 as local network.

Then add a NAT One-to-one rule:
Interface: IPSec
Type: NAT
External network: 192.168.136.103/32
Source: your local network
Destination: remote network

so for me i think its just the firewall rules right

thanks