Just tried Bypassing Policy Routing, but it doesn't work. Traffic is still routed through WAN interface.
Also tried setting up a gateway and appropriate route, but i can only see packets on the Lan interface, not on the IPsec interface: https://forum.pfsense.org/index.php?topic=135384.0 ________________________________ Von: List <[email protected]> im Auftrag von Chris L <[email protected]> Gesendet: Dienstag, 22. August 2017 19:36:05 An: pfSense Support and Discussion Mailing List Betreff: Re: [pfSense] IPsec NAT/BINAT not working On Aug 22, 2017, at 8:09 AM, Kilian Ries <[email protected]> wrote: > > Hi, > > > my setup is the following: > > > Site A: > > Lan: 192.168.100.0/24 > > Lan_IP: 192.168.100.1 > > Transfer: 10.2.81.0/24 > > Transfer_IP: 10.2.81.1 > > > Site B: > > Lan: 10.2.82.0/24 > > Lan_IP: 19.2.82.1 > > > I'm doing a site-to-site IPsec wich is working. I can ping from both routers > (pfsense, juniper) to each other (10.2.81.1 <-> 10.2.82.1) but not from the > clients in my LAN (192.168.68.x <-> 10.2.82.x). I'm now trying to setup a > Transfer-Net with NAT / BINAT routing: > > > Site B should reach the clients on site A via an 10.2.81.x ip-address and not > via an 192.168.100.x ip-address. So i want to map 10.2.81.0/24 <-> > 192.168.100.0/24. > > > First i tried to do this via the NAT/BINAT setting inside the IPsec settings: > > > Site A IPsec Phase2 > > > Local Network: 192.168.100.0/24 > > NAT/BINAT translation: 10.2.81.0/24 > > Remote Network: 10.2.82.0/24 > > > That didn't work and i tried the same thing with 1:1 NAT from the Firewall > tab: > > > Site A > > > External subnet IP 10.2.81.0 > > Internal IP: 192.168.100.0/24 > > Destiantion: 10.2.82.0/24 > > > > No matter which mapping i choose, if i try to ping from 192.168.100.x to > 10.2.82.x, pfsense routes the request through the WAN interface instead of > the IPsec / Transfer-Net Interface. How can i tell pfsense to route the > traffic from my Lan through the IPsec tunnel (not WAN) and do the NAT? You might be policy routing that traffic out the WAN interface using rules that match the traffic on the 192.168.100.0/24 interface with a gateway or gateway group set. Try bypassing policy routing for the remote subnet using a pass rule above that with the destination 10.2.82.0/24 and no gateway set. https://doc.pfsense.org/index.php/Bypassing_Policy_Routing _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
