Routing thru ipsec

NethServer Version: 7.9.2009

I have a router with 4 ports:

  • Port 1: Local LAN (green) with IP
  • Port 2: Guest LAN (blue)
  • Port 3: Wan Connection 1
  • Port 4: Wan Connection 2

I have created an ipsec connection throu WAN 2 to an external company. This external company gave me an address family and I have to NAT it to my local LAN ( Then I have assigned an IP alias to port 1. With this configuration I can ping the remote IP thru ipsec, but I can’t ping the remote machines from the PC on local LAN (green).

Can you help me to set the router so that traffic to remote machines is forwarded to Ipsec connection?

thank you.

1 Like


Hi Andrea

And welcome to the NethServer Community!

From the Screenshots I’m assuming you mean your NethServer is your Router with 4 NICs…

I use both IPsec and OpenVPN a lot, IPsec more for Site2Site and OpenVPN more for RoadWarriors…

Normally, NAT is NOT needed or used when doing VPN, so here is probably an issue.
It could be that the company on the other side is only allowing exactly ONE host on your end…
To overcome this limitation, you would need to use NAT. But as said, normally a site2site VPN is NOT done with NAT.

What you could try, is add a static route on your NethServer (Maybe also needed on your clients in the LAN…) for the target, pointing to the right Interface…

If there’s no route, the packet will land in the Internet, and your provider will throw away “Internal, private IPs” like 10.x.x.x, 192.168.x.x and…

See on the right of the screenshot…

You may also need to add the network to “trusted networks”…

My 2 cents

yes, you’re right: 4 ports means 4 NICS.

The need of NAT is (probably) due to the fact the remote site receives connection from different locations (not only my company) and there is an high chance the same IP subnet is used by different companies.

I have set the a route to remote IP subnet and in fact from the router I can ping the remote site. But when I ping from My PC I get “Reply from Destination host unreachable.”

You can use the NETMAP iptables target.
Add a couple of rules in /etc/shorewall/started, e.g.:

iptables -t nat -I POSTROUTING -s -d -o enp4s0 -j NETMAP --to
iptables -t nat -I PREROUTING -i enp4s0 -s -d -m policy --dir in --pol ipsec -j NETMAP --to

Beware of typos I may have introduced.


Why it is not by default filipo, I assume when I do a tunnel I can ping the lan over the tunnel :-?

NAT is evil? :slight_smile:
I tried to add this function in a clean way through shorewall, but I failed. So I used the trick I always to: low level iptables commands.

1 Like

Do we have the same behavior with openvpn tunnel ?

Are these commands wiped out when interfaces, IPsec and OpenVPN are updated?
Does these settings are backupped and restored into config?

/etc/shorewall/started is not a template and it is not included in the backup system, it is a file where you trigger commands after shorewall has been fully started

1 Like