OK, typical scenario where all remote subnets have the same subnet so I am trying to SNAT inbound/outbound on VPN. It seems the destination NAT setting on tunnel performs the SNAT outbound and I have this working. However, I cannot seem to figure out how to configure the SNAT mapping for inbound traffic.
So the local subnet on Digi side of tunnel is fake subnet of 192.168.10.0/24. I have setup a interface/zone called FAKE1 for this. The “real” subnet is LAN1, which is 10.0.0.0/24. One of the remote subnets is 10.20.0.0/16. With the destination NAT address setup to include my remote subnets, the outbound SNAT is working. I can get from 10.0.0.0/24 to remote subnets on HUB side. However, I cannot find how to do the inbound NAT on VPN so that traffic coming from 10.20.0.0/16 going to 192.168.10.0/24 gets 1:1 NAT to 10.0.0.0. How do I setup inbound NAT mapping on VPN tunnel to achieve this?
I assume your router runs a DAL system.
You need to add custom firewall rules like the ones below:
iptables -t nat -I PREROUTING -i “interface name” -d 192.168.10.0/24 -j NETMAP --to 10.0.0.0/24
iptables -t nat -I POSTROUTING -o “interface name” -s 10.0.0.0/24 -j NETMAP --to 192.168.10.0/24
OK, i tried that.
When I am on the 10.20.0.0/16 network and I try to ping 192.168.10.230 hoping it would translate to 10.0.0.230 and respond but it fails. I tried override, rebooting, etc. No luck. Do I need the SNAT turned on one of the IPSec or FAKE1 zones?
Surely it should be the VPN interface name if you are using IPSec VPN.
OK, IPSec is the zone set for the VPN tunnel.
I have enabled Source NAT for that zone.
Still not working…
Again, the outbound VPN SNAT seems to work without custom rules.
You missed the VPN interface name in the custom rules. It looks like a formatting issue on the website.
Please take a look at my first reply again. I edited the initial post.
You don`t need to configure SNAT via GUI anymore with these rules.
I recommend you open a support case at firstname.lastname@example.org
Appreciate the update, i added the VPN in there and still it doesnt work.
Should I delete my FAKE1 interface/zone that is 192.168.10.0/24?
You need to assign any IP address of the fake network 192.168.10.0/24 to the loopback interface(firewall zone internal) and add this subnet 192.168.10.0/24 to the IPSec VPN policy. That is all.
Ok, I got the rules with correct syntax now - verified by putting them in via CLI.
I enter 192.168.10.201/24 as my loopback address.
Now the VPN NAT seems to be working when pinging, behavior as expected.
However, I can no longer log into my web interface to admin the device after setting loopback.
Also, when i try to pull up web browser on device at 10.0.0.230 at 192.168.10.230 from 10.20.0.4 nothing resolves but I can ping 192.168.10.230.
Also, cant get to web admin through VPN tunnel internal ip either.
At this point, I would recommend emailing us at email@example.com to get a case going to resolve the last portion of your question. Then we can track the changes and information more easily.