Project

General

Profile

Actions
Copy link

Todo #15796

open

Feeback on Client Routing and Gateway Considerations

Added by Andrew Almond about 1 month ago. Updated 30 days ago.

Status:
New
Priority:
Normal
Assignee:
Jim Pingle
Category:
IPsec
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:

Description

https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/client-routing.html

Outbound NAT is not listed as an option when it is a great solution with minimal or no side effects.

Create an Outbound NAT rule with the source network as the remote network, and NAT it to the interface and address of the local VPN endpoint. Following the illustration on the page:

Create the Outbound NAT rule on the Site A VPN Endpoint (10.3.0.20).
Interface: FW LAN
Protocol: Any
Source: 10.5.0.0/24
Destination: 10.3.0.0/24
Address: Interface Address

The result is that all traffic from Site B (10.0.5.0) will appear to be coming from 10.3.0.20, which the existing LAN Gateway will naturally route. This does mask the true source of the traffic from Site A's perspective, but that's not a concern in many cases.

Actions
Copy link
 #1

Updated by Jim Pingle 30 days ago

  • Assignee set to Jim Pingle

That is probably worth mentioning there, with appropriate warnings about the source being lost. It should be a last resort, however, since NAT can break some protocols and having the original source is important from a security standpoint.

We do mention that sort of tactic elsewhere, at least in the HA section at https://docs.netgate.com/pfsense/en/latest/troubleshooting/ha-vpn-secondary.html

Actions
Copy link

Also available in: Atom PDF