Hi. I have a problem with my hex lite.
I have a VPN with Ipsec connected but I have to do 1: 1 NAT from 192.168.88.1/24 to 10.150.225.0/25 but I did not manage to try it with a ping. I put the current configuration in attachments images.
thanks.
In ROS always a more specific rule should be over the more general. And you don’t need dst nat rule, conn tracker will make reverse translation by itself. dst nat rule need only fo nat unaware connections.
Now I’m already pinging an ip at the other end of the VPN but now the internet does not work for me. I just got pings to IP from the other end of the VPN. Could it be that I have wrong in the order of the rules?
thank you very much.
For start, it can’t be exactly 1:1 between /24 and /25.
Second, your extra static routes are useless, when they have the same gateway as default route. Packets would take the same route anyway.
And finally, meaning of your srcnat rules (assuming there are no hidden options) is:
#0: don’t do srcnat when source is in 10.150.255.0/25 and destination in 10.0.0.0/8
#2: change source to 10.150.255.0/25 when original source was 192.168.88.0/24 (applies to any destination!)
#3: masquerade source when outgoing interface is pppoe-out1
Problem is, first matching rule is used and for anything coming from LAN 192.168.88.0/24 it’s going to be #2. But for connections to internet, you’d need it to be #3.
Update #2 to have dst-address=10.0.0.0/8 (if that’s your remote network). And you can get rid of #0.
Hi. I already understood your explanations I modified as you said but it remains the same for the eth3 I do not get to the internet but to the remote VPN. I put you captures of the modified configuration.
Thanks in advance