snat per tunnel interface for overlapping ips in route based vpn

Started by multazimd, February 26, 2026, 08:02:31 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 26, 2026, 08:02:31 PM
We have requirement to Route based VTI with overlapping customer remote networks in different tunnels to be routed to different applications at our end. In order to achieve the same, we need to create unique tunnel interfaces per connection and have ability to do SNAT on each tunnel interface so that we can differentiate the customers based on local networks.
 
Customer A Remote Network 192.168.0.0/24 -> SNAT in customer A's VTI to VIP A -> Customers A's local app subnet
Customers A's local app subnet -> VIP A -> DNAT to Customer A Remote Network 192.168.0.0/24
 
Customer B Remote Network 192.168.0.0/24 -> SNAT in customer B's VTI to VIP B -> Customers B's local app subnet
Customers B's local app subnet -> VIP B -> DNAT to Customer A Remote Network 192.168.0.0/24

How can we achieve this in opnsense?
March 01, 2026, 07:25:50 PM #1
If the remote networks overlap, the masquerading has to be done on one of the remote sites, otherwise OPNsense is not going to be able to route the traffic for the remote networks properly.
Today at 01:59:55 AM #2
It does say in the doc here : https://docs.opnsense.org/manual/vpnet.html#route-based-vti

that NAT rules can be specified on VTI interfaces in pure VTI-based setups without issue.

Has anyone tried it? This can probably help for our use case. Will try out.
Today at 09:24:36 AM #3
Quote from: multazimd on Today at 01:59:55 AMIt does say in the doc here : https://docs.opnsense.org/manual/vpnet.html#route-based-vti
that NAT rules can be specified on VTI interfaces in pure VTI-based setups without issue.
Yes, you can. But even if you masquerade the remote subnet on your site it does not change the fact, that multiple (VTI) interfaces are bound to the same or overlapping subnets. And this leads into the problem that OPNsense will not be able to route the traffic to the correct remote site.
Today at 11:34:48 AM #4
In our case, remote subnet overlap is not within single vpn connection but between two different vpn connections. Since connections are different and tunnels are unique, wouldn't opnsense be able to route traffic correctly?
Print
Go Up Pages1
User actions