Archives
/
opensense-docs
mirror of https://github.com/opnsense/docs
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Update nat_reflection.rst

Browse Source 
- Fixed VTI NAT description, referenced the tunables to make it work
pull/507/head
Monviech 8 months ago committed by GitHub
parent bc8fa3b2ef
commit f9b8051fa3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File

3
source/manual/how-tos/nat_reflection.rst
Unescape Escape View File

@ -61,7 +61,8 @@ That's where Reflection NAT comes into play. It creates NAT rules which help you
* **Hairpin NAT:** The client and the server are in the same subnet (layer 2 broadcast domain). They can communicate directly with each other by resolving ARP requests. You need SNAT and DNAT.
.. Note::
When using IPsec, NAT only matches on policy based VPN. NAT on VTI interfaces won't match.
When using IPsec, by default NAT only matches on policy based VPN. NAT on VTI (Virtual Tunnel Interfaces) won't match unless some tunables are set. These tunables change the behavior of firewall filter and NAT on if_enc and if_ipsec interfaces. You can read more about the tunables in `IPsec VTI - Route based setup <https://docs.opnsense.org/manual/vpnet.html#route-based-vti>`_
-------------
Best Practice

Write Preview
Loading…
Cancel
Save