How to route from

Ok, i know the title seems a bit stupid but… It has a little sense.
My Green interface is subnetted And i have a TUN OpenVPN on
Sometimes a person need to connect via OpenVPN (client on a computer) and has to access to some addresses (not only 1) on Green. Obviously, the network for his lan is

AFAIK my options are 3:

  1. Change LAN addressing of the client from
  2. Change green addressing
  3. Do something smarter with routing and masquerading, without change addressing/subnet of both LANs.

And options 3 is why i opened this thread.

FWIW, if the ip address to access is only 1, maybe port forwarding could do the trick. I know that with multiple addresses and the same port, maybe port translanting could do the trick.

But… why not read some interesting things? :wink:

Thanks for your time.


Ask here if you find it hard, I’ll go looking for some examples.

1 Like

Therefore, a little “link” for people…
This is the example…

LongStoryShort solution should be SNAT+DNAT and DNAT+SNAT.
and these are the rules for ShoreWall 4.4.22 or earlier

The entries in /etc/shorewall/netmap in firewall1 would be as follows:

#TYPE NET1           INTERFACE        NET2
SNAT vpn            #RULE 1A
DNAT  vpn           #RULE 1B

The entry in /etc/shorewall/netmap in firewall2 would be:

#TYPE NET1           INTERFACE        NET2
DNAT  vpn           #RULE 2A
SNAT vpn            #RULE 2B

And these are for ShoreWall 4.4.23 or later; according to the link…

Beginning with Shorewall 4.4.23, you can bridge two duplicate networks with one router, provided that your kernel and iptables include Rawpost Table Support. That support is used to implement Stateless NAT which allows for performing DNAT in the rawpost table POSTROUTING and OUTPUT chains and for performing SNAT in the raw table PREROUTING chain. Using this support, only firewall1 requires /etc/shorewall/netmap. Two additional entries are added.

#TYPE NET1            INTERFACE        NET2
SNAT vpn    
DNAT  vpn    
SNAT:P vpn    
DNAT:T  vpn    

I’ll try to get some fun with these settings into my enviroment. I’m quite sure that it will be really a mess during tests…

1 Like

This is a really nice shorewall feature, I didn’t know before. Thanks.

This would have been my solution. In this case changing the clients home LAN would be the easiest way.

Maybe this scenario fits better to yours:

This is my scenario, so that’s why I need to rethink the firewall implementation.

[quote=“mrmarkuz, post:4, topic:8020”]
This would have been my solution. In this case changing the clients home LAN would be the easiest way.[/quote]And this is viable, because the ip addresses on the Green network are few (an AP, two switches, the firewall, three MFP), but it’s my last resource. Sometimes home network lan of Roadwarrior is not changeable…
I would like to find a good solution, not an easy one.
Maybe next time I won’t be that lucky to have time and opportunity to find a better way :wink:

Sorry, I think you misunderstood me. Changing the networks was my solution until today because now I know shorewall netmap, sorry for my bad English past tense somewhat…

I am like you looking for a good solution which may also be easy.
Did you notice the advice in the link?

port 1195
push “route”

In /etc/shorewall/netmap, put these entries:

SNAT		tun1
DNAT		tun1	

The roadwarrior can now connect to port 1195 and access the lan on the right as

The firewall distro that i am using into this enviroment do not allow two openvpn servers. Or better: maybe is allowed, i’m still not sure about that, but it’s quite far from the webgui level of access.

Maybe i also misunderstood you, it’s always possibile when the language is often used, but not the natural one for who’s writing. :slight_smile:
Anyway, thanks for your time, maybe this solution could help someone with the same kind of issue :wink:

1 Like

I’ve had to do this for a large Company / Enterprise about 20 years ago. They bought control of a company in Germany wanted their Networks hooked up.

Some luck. Despite using an unusual combination of 172.x.x.x as an enterprise network so was this company, both thinking it’s unusual.

Long story cut short: I did it using a form of double Natting and a lookup table, mapping the entire Network of the subsidiary in Germany to another Network range. Today, it would be MUCH easier to do this.


You don’t really want to!

  • Having two networks with same IP ranges is always a BIG headache when troubleshooting.
  • Is it my local server or remote server with the IP causing problems?
  • Or is my DNS showing the real server or the remote server?
  • DNS is another BIG headache in double IP networks - no one really wants to go there!
  • Monitoring two identical Networks with tools like Zabbix / Nagios / whatever is more work than benefit.

It is much easier, and definetely Best Practices if each node in the whole network (VPNs and all interconnected sites) have a consistant numbering / name scheme.

–> If possible, change the Network IP of one of the involved sites.

Also Best Advice for all of you in Networking:

NEVER set up a clients network using any of the following IP ranges:


A lot of Hardware like WLan Routers come preconfigured with IPs in that range. Now an employee buys himself a Wireless Router for Home use and thinks: Well, I have time in my break, I’ll just hook it up to the LAN…
Now: if your main router also has that same IP, and worse, both are doing DHCP Services, it’ll be within minutes that some host can do Internet and some can’t. Or none - due to IP conflict!

Just evade those IP ranges, especially if you’re free to set up the network!

My 2 cents!


You’re totally right @Andy_Wismer. And a business partner hates me because i’m quite “creative” with subnets and addressing. He would ever like the same subnet for all customers, but thats’ bad, or as writed into a nested-group-related-topic, cube-bad.
I loved to misuse Class-B subnetting, but i have a little problem called “biggest ISP in italy” which is using Class-B subnets into infastructure. But i am able to ping/route-them (crap!).


Sometimes you can’t decide subnetting. Sometimes 'cause your LART is too weak, sometimes 'cause the job for change addressing is huge on one of the sides.
This is not the case: i have time for think more than one solution and test it. And i have an escape path called “change subnet for the whole office”, which is really viable.

Maybe tomorrow i won’t have any other option than use the same subnet on both sides of a VPN connection, but not enough time to create, evaluate and test a good solution.
So, this testbench could be… a little swissknife in time of need.
Swissknife is a great tool, but not a good one. Because it can cut, screw, open, saw, slice. But it’s not a good screwdriver, a good knife, a good pair of scissors, a good can opener…

Thanks for your experience @Andy_Wismer, believe me i share most of your believings about subnetting. For a customer i sliced into 5 different subnets for devices and connections… :wink:


Have a peek at the OPNsense Distro. They have also hardware boxes at a reasonable price.

I find it a bit better than the much mentionned PFsense. Both come from a MonoWall basis (Same as FreeNAS!) using an unusual XML / PHP boot system instead of the usual etc. And on FreeBSD, not your average Linux.

The original developer (Manual Kaspar, also a Swiss like me) of MonoWall also endorses OPNsense.

It has all the bells and whistles you need of open source, combines IPsec AND OpenVPN and is even easy to fix when a problem arises. Had a case of a defective SD - they used a Transcend, which is good quality in my opinion. Changed with a 20.- SD from the local store. Up and running within the hour.

As any decent open source, you have the option to download a live cd or USB image to test it on ANY box lying around. Or use a VM, it works very well in both situations. The live CD (Or USB stick) can be installed on an empty Disk or SD. Use Etcher to burn the Image to a SD or USB.

You might be in for a pleasant surprise… :wink:

BTW: what’s your language / region? I’m English / German, based in Switzeland, and can also handle some french and italian.

As to [quote=“pike, post:9, topic:8020”]
biggest ISP in italy

I think that’s with all / most ex-state owned monopolists. We’ve got that same problem with a few providers here in Switzerland. :wink:

Best regards

You’re writing in the wrong way, man. It was m0n0wall, as Manuel wrote on FAQ. :smiley:

I’m italian and i speak Italian, i hope my English not that bad…

Anyway, i was thinking during the weekend, on these rules for SNAT+DNAT…

And i was thinking: which subnet a site should look for to access to the other one?

Rules says
Site 1 =>route to for reaching Site 2
Site 2 =>route to for reaching Site 1

But my head still says that it’s not correct…

By the way… long story short.

Green network migrated from to Few devices to reconfigure…

  • an AD server
  • a firewall
  • 4 clients into DHCP
  • 3 MFP
  • two switches and an AP

allowing me to create a Blue interface for another subnet ( of course) used for small network of a server (who had the same ip address of the AD) and a couple of clients; thanks to VNC, i was able to allow remote connection without leaving the desk. Pretty nice. Adding some firewall rules allow printing from the Blue network to MFP on Green; another useful feature.
OpenVPN Roadwarrior went to anther TUN subnet ( and I created user-based ACL for different network segment. All subnets and segments for IT man, whole Green for the owner, RDP for specific hosts for a couple of remote users.

Research done for this case were quite useful in another couple of cases on USG device by Zyxel.

DNAT has been applied to L2TP connection, allow any device (which is always outside green interface) from to connect to any device mapped on


Just last week had a problem at a Doctors place. He had the local ex monopolist (Swisscom) duing telephony (VoIP) and they required a change of router… Nothing special about that.

The Router is nothing special, because of VoIP we can’t change it into a “real” firewall.
Still ok with me…

But then the guy came by and changed the router box. Didn’t even bother to transfer the configuration. Asked to deactivate DHCP on the box, he agreed, and asked to do port forwarding (One single port!) he agreed and confirmed both tasked were completed.

An hour later, only 50% of the net was working. DHCP poisoning. The router was faster than the server, and gave out wrong adresses. Especially the wrong DNS. Servers wern’t found, the X-Ray system (DiCom Imaging) wasn’t found. Two hours later even Internet wouldn’t work, neither would half the fones.

Had to remote set the router correctly.

At least the guy could admit he could,nt do it, instead of leaving the client to run into a wall!


my 2 cents

1 Like