PFSense IPSec and NAT

Question

Due to bad design and hosting provider constraints I have a network where I don't control the router.

Our network: 172.16.0.0/12 - LAN x.x.x.0/24 - WAN (Router is connected to the switches, we have no control over it) 192.168.253.0/24 - IPSec client network 172.16.0.50/12 - PFsense internal IP x.x.x.251/24 - PFsense internet IP

We're using PFSense 2.2.6.

I have configured IPsec remote access using this guide: https://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To

It works fine as long as I add static route to destination server (ip r add 192.168.253.0/24 via 172.16.0.50). Ofcourse it'll not work in any other situation because my main router isn't familiar with PFsense, or anything in the LAN segment. It only has interface in the WAN subnet.

Is there a way to make my remote clients have IP within the 172.16.0.0/12 subnet once they connect? Can I NAT their traffic from 192.168.253.0/24 to some address at 172.16.0.0/12?

Please see attached diagram. Green side is LAN. I'd like to achieve NAT from the tunnel network (192.168.253.0/24) to LAN (172.16.0.0/12) using LAN IP.

Thanks!

A diagram of the network would make this question easier to understand. — kasperd, Apr 05 '16 at 14:22
Still not entirely clear to me. I cannot figure out which parts of the text applies to which nodes in the diagram. — kasperd, Apr 06 '16 at 09:13

score 2 · Accepted Answer · answered Apr 13 '16 at 05:39

2

Found the solution.

Created Outbound NAT rule on the LAN interface. Source is tunnel network, destination is LAN network.

Source IP is always firewall IP, but that's something I can live with.

answered Apr 13 '16 at 05:39

Yoav

93
1
1
5

PFSense IPSec and NAT

1 Answers1