WIKIABOUT

FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

Most popular tags

rut955 rut240 rut950 rutx11 rms vpn to openvpn wifi not sms trb140 firmware connection - ipsec on rutx12 rutx09 modbus
We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.

NAT Transfer IPSEC VPN

0 votes
544 views 2 comments
by anonymous

we have an ipsec VPN connection to another location. Unfortunately, the subnet on the other side is already in use and we cannot renumber the subnet. For this we want to use a transfer network. The router on the other side is a RUT950. So we want to go from 172.28.0.0/23 to 10.0.3.0/24. the transfer network is 10.131.250.0/24.

We made a SNAT rule.

1 Answer

0 votes
by anonymous
Hello,

I would like to clarify couple of points,

a. You have LAN subnet that is already used by another device.

b. You cannot change subnets to not overlap

c. You want to basically hide LAN subnet under another subnet that each IP would get "allias" i.e 172.28.0.1 ---> 10.0.3.1, 172.28.0.2 ----> 10.0.3.2, 172.<...> ---> 10.<...>, 172.28.0.254 ---> 10.0.3.254

would that be the case?

Best regards,
Vidas.
by anonymous

Hi Vidas,

a. You have LAN subnet that is already used by another device.

This is correct

b. You cannot change subnets to not overlap

This is correct

c. You want to basically hide LAN subnet under another subnet that each IP would get "allias" i.e 172.28.0.1 ---> 10.0.3.1, 172.28.0.2 ----> 10.0.3.2, 172.<...> ---> 10.<...>, 172.28.0.254 ---> 10.0.3.254

We need to rewrite the source IP range to the nat IP range. 172.28.0.0/23 is the subnet at our office. If we select 10.131.250.1 we want to go to the 10.0.3.1, is we select 10.131.250.2 we want to the 10.0.3.2, etc.

We didn't see a specific setting for DNAT (Destination NAT). I don't know if it is possible at the router.

We hope you can help us,

kind regards,

Niek

by anonymous

Hi Niek,

It would be possible to do with DNAT and SNAT rules, but they are not applicable to ranges, so I do understand being reluctant to set up individual rules for each device, as it is both time and effort consuming.

There is another option - using NETMAP iptables rule, however that also has couple of cons:

  1. it is unavailable as WebUI configuration and would require usage of CLI commands.
  2. rule is removed after reboot

Both of the cons are easy to "workaround" with single action, but I just want you to understand the situation overall.

-------------------------------------------------------------------------------------------------------------------------------

CLI command to use: iptables -tnat -I PREROUTING -s <Nat'ed_subnet> -j NETMAP --to <LAN_subnet>

As per yours example for LAN 10.131.250.0/24  to be NAT'ed to 10.0.3.0/24, command would be: 

iptables -tnat -I PREROUTING -s 10.0.3.0/24 -j NETMAP --to 10.131.250.0/24

Executing it via SSH/CLI interface will give you result that you desire, in another location you would need to change first range for example to 10.0.4.0/24 and you would be able to reach both of those locations on 10.0.3.0/24 and 10.0.4.0/24 subnets respectively while their actual LAN subnets would be the same (10.131.250.0/24)

Now for rule being removed after reboot. To mitigate this you would need to utilize User Scripts in WebUI or edit /etc/rc.local file via CLI and add said command there before exit 0:

# Put your custom commands here that should be executed once

# the system init finished. By default this file does nothing.

iptables -tnat -I PREROUTING -s 10.0.3.0/24 -j NETMAP --to 10.131.250.0/24

exit 0

This way this iptables rule will be executed every time router boots up, and it should NAT your subnet to one that you set up

Hope this helps.

Regards,
Vidas.