I always thought that this behaviour was because of the way IPSec is bolted on to the network stack in FreeBSD 9, that IPsec literally took over the packet before it could get NAT'd. Certainly, I was recently surprised to discover that IPSec VPN tunnels take precedence over local connected interfaces when the addresses overlap. -Adam
> -----Original Message----- > From: List [mailto:[email protected]] On Behalf Of Kilian Ries > Sent: August 24, 2017 01:43 > To: pfSense Support and Discussion Mailing List <[email protected]> > Subject: Re: [pfSense] IPsec NAT/BINAT not working > > Just tried Bypassing Policy Routing, but it doesn't work. Traffic is still > routed through WAN interface. > > > Also tried setting up a gateway and appropriate route, but i can only see > packets on the Lan interface, not on the IPsec interface: > > > https://forum.pfsense.org/index.php?topic=135384.0 > > ________________________________ > Von: List <[email protected]> im Auftrag von Chris L > <[email protected]> > Gesendet: Dienstag, 22. August 2017 19:36:05 > An: pfSense Support and Discussion Mailing List > Betreff: Re: [pfSense] IPsec NAT/BINAT not working > > On Aug 22, 2017, at 8:09 AM, Kilian Ries <[email protected]> wrote: > > > > Hi, > > > > > > my setup is the following: > > > > > > Site A: > > > > Lan: 192.168.100.0/24 > > > > Lan_IP: 192.168.100.1 > > > > Transfer: 10.2.81.0/24 > > > > Transfer_IP: 10.2.81.1 > > > > > > Site B: > > > > Lan: 10.2.82.0/24 > > > > Lan_IP: 19.2.82.1 > > > > > > I'm doing a site-to-site IPsec wich is working. I can ping from both > routers (pfsense, juniper) to each other (10.2.81.1 <-> 10.2.82.1) but not > from the clients in my LAN (192.168.68.x <-> 10.2.82.x). I'm now trying to > setup a Transfer-Net with NAT / BINAT routing: > > > > > > Site B should reach the clients on site A via an 10.2.81.x ip-address and > not via an 192.168.100.x ip-address. So i want to map 10.2.81.0/24 <-> > 192.168.100.0/24. > > > > > > First i tried to do this via the NAT/BINAT setting inside the IPsec > settings: > > > > > > Site A IPsec Phase2 > > > > > > Local Network: 192.168.100.0/24 > > > > NAT/BINAT translation: 10.2.81.0/24 > > > > Remote Network: 10.2.82.0/24 > > > > > > That didn't work and i tried the same thing with 1:1 NAT from the > Firewall tab: > > > > > > Site A > > > > > > External subnet IP 10.2.81.0 > > > > Internal IP: 192.168.100.0/24 > > > > Destiantion: 10.2.82.0/24 > > > > > > > > No matter which mapping i choose, if i try to ping from 192.168.100.x to > 10.2.82.x, pfsense routes the request through the WAN interface instead > of the IPsec / Transfer-Net Interface. How can i tell pfsense to route the > traffic from my Lan through the IPsec tunnel (not WAN) and do the NAT? > > You might be policy routing that traffic out the WAN interface using rules > that match the traffic on the 192.168.100.0/24 interface with a gateway > or gateway group set. > > Try bypassing policy routing for the remote subnet using a pass rule > above that with the destination 10.2.82.0/24 and no gateway set. > > https://doc.pfsense.org/index.php/Bypassing_Policy_Routing > > _______________________________________________ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > _______________________________________________ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
