OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • General Discussion »
  • Still pretty mixed up on BiNAT over Phase 2 Tunnels
« previous next »
  • Print
Pages: [1]

Author Topic: Still pretty mixed up on BiNAT over Phase 2 Tunnels  (Read 4913 times)

anomaly0617

  • Jr. Member
  • **
  • Posts: 50
  • Karma: 0
    • View Profile
Still pretty mixed up on BiNAT over Phase 2 Tunnels
« on: March 06, 2018, 06:36:36 pm »
Hi there,

I'm still struggling to implement BiNAT over various IPSec Phase 2 tunnels. Here's how it's handled in pfSense:

Mode: Local Network
Type: LAN Subnet (Mine is 192.168.121.0/24)
Address: [Blank]
NAT/BiNAT Translation Type: Network
NAT/BiNAT Network: 172.16.254.0/24
Remote Network Type: Network
Remote Network Address: 172.16.246.0/24

So, whenever traffic goes out to the 246 network, it should appear to come from 172.16.254.[ip]
Whenever traffic comes in from the 246 network, it should appear to come from 172.16.246.[ip], even though on their end it's likely something like 192.168.1.[ip], and we have BiNAT set up there too.

Lastly (and most importantly) Whenever traffic comes goes out to the 10.0.143.0/24 network, it should appear to come from 192.168.121.0/24 because that is a branch office and it has no BiNAT defined in the Phase 2. There's no chance of a conflict and therefore no need to BiNAT.

If I try the same thing in OPNSense, it looks like this:

Mode: Tunnel IPv4
Description: Customer Name
Local Network Type: Network
Local Network Address: 172.16.246.0/24
Remote Network Type: Network
Remote Network Address: 172.16.254.0/24

Then I create a rule in Firewall >> Nat >> One to One
Interface: IPSec
External IP: 172.16.254.0/24
Internal IP: 192.168.121.0/24
Destination IP: * (Any)

... but this takes over all IPSec traffic going out and makes it appear to come from 172.16.254.0/24 in the firewall logs.

Is there a way to just set BiNAT settings in the Phase 2 settings and be done with it?
Logged

mimugmail

  • Hero Member
  • *****
  • Posts: 6767
  • Karma: 494
    • View Profile
Re: Still pretty mixed up on BiNAT over Phase 2 Tunnels
« Reply #1 on: March 06, 2018, 08:00:12 pm »
https://github.com/opnsense/docs/blob/master/source/manual/how-tos/ipsec-s2s-binat.rst

Franco, how often so you sync from GH to docs?
Logged
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/

anomaly0617

  • Jr. Member
  • **
  • Posts: 50
  • Karma: 0
    • View Profile
Re: Still pretty mixed up on BiNAT over Phase 2 Tunnels
« Reply #2 on: March 06, 2018, 11:09:11 pm »
This was EXACTLY the fix I needed. Thank you! Please update the documentation with the linked help?
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 17707
  • Karma: 1618
    • View Profile
Re: Still pretty mixed up on BiNAT over Phase 2 Tunnels
« Reply #3 on: March 07, 2018, 05:48:59 pm »
Jos will push an update, I'll let him know. It's not automated at the moment.


Cheers,
Franco
Logged

jschellevis

  • Administrator
  • Full Member
  • *****
  • Posts: 156
  • Karma: 37
    • View Profile
Re: Still pretty mixed up on BiNAT over Phase 2 Tunnels
« Reply #4 on: March 09, 2018, 11:56:27 am »
Apologies for the delay, had to fix some small formatting issues first.
Docs are now up to date :-)

Thanks to all commiters!

Cheers,

Jos
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • General Discussion »
  • Still pretty mixed up on BiNAT over Phase 2 Tunnels
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2