On Aug 22, 2017, at 8:09 AM, Kilian Ries <m...@kilian-ries.de> wrote: > > Hi, > > > my setup is the following: > > > Site A: > > Lan: 192.168.100.0/24 > > Lan_IP: 192.168.100.1 > > Transfer: 10.2.81.0/24 > > Transfer_IP: 10.2.81.1 > > > Site B: > > Lan: 10.2.82.0/24 > > Lan_IP: 19.2.82.1 > > > I'm doing a site-to-site IPsec wich is working. I can ping from both routers > (pfsense, juniper) to each other (10.2.81.1 <-> 10.2.82.1) but not from the > clients in my LAN (192.168.68.x <-> 10.2.82.x). I'm now trying to setup a > Transfer-Net with NAT / BINAT routing: > > > Site B should reach the clients on site A via an 10.2.81.x ip-address and not > via an 192.168.100.x ip-address. So i want to map 10.2.81.0/24 <-> > 192.168.100.0/24. > > > First i tried to do this via the NAT/BINAT setting inside the IPsec settings: > > > Site A IPsec Phase2 > > > Local Network: 192.168.100.0/24 > > NAT/BINAT translation: 10.2.81.0/24 > > Remote Network: 10.2.82.0/24 > > > That didn't work and i tried the same thing with 1:1 NAT from the Firewall > tab: > > > Site A > > > External subnet IP 10.2.81.0 > > Internal IP: 192.168.100.0/24 > > Destiantion: 10.2.82.0/24 > > > > No matter which mapping i choose, if i try to ping from 192.168.100.x to > 10.2.82.x, pfsense routes the request through the WAN interface instead of > the IPsec / Transfer-Net Interface. How can i tell pfsense to route the > traffic from my Lan through the IPsec tunnel (not WAN) and do the NAT?
You might be policy routing that traffic out the WAN interface using rules that match the traffic on the 192.168.100.0/24 interface with a gateway or gateway group set. Try bypassing policy routing for the remote subnet using a pass rule above that with the destination 10.2.82.0/24 and no gateway set. https://doc.pfsense.org/index.php/Bypassing_Policy_Routing _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
