VPN Tunnels, Multiple sites, Do I need to NAT (a second time)?

First time poster, please be gentle.
As the username implies, I am a complete neophyte at site-to-site VPN tunnelling.

Here's the setup:

I have a central ELK Stack running, that is monitoring my DC servers and network.
I have been chartered with extending my monitoring to remote offices, and many that are coming onboard via acquisition. These are all small-ish offices, using only very basic networking devices (think: Netgear, Trend, Linksys, Fortigate, SonicWall). Most of these offices were set up independently, so most are at 192.168.0.x. When I set up S2S VPN tunnels, those locations will get NATed to the router's public IP, to connect to my central instance. (No, we do not have MPLS, or dedicated network connections to the remote sites.)

For the purposes of the question, let's say:
Division A has a public IP address of
Division A has a local server called THOR.
THOR's ip address in the local subnet is

Division B has a public IP address of
Division B has a local server called HULK.
HULK's ip address in the local subnet is also

Here's the question:
If I install whatever Beats I need on THOR and HULK, connect both Division A and B to my DC network via two separate Site-to-Site VPN tunnels, and get the data coming in, will ELK be able to understand the difference between THOR and HULK?

Comments: I believe that I'm over-thinking things here, but my initial installation was meant to be pretty simple and I am not a network guru at this level, so I'm confusing myself about the NATing that I need to facilitate/handle. Originally I thought about defining a subnet like 10.0.REMOTE_OFFICE_ID.x for each remote office, and then expanding my local subnet to 10.x.x.x, but then I realized the S2S VPN tunnel will be NATing anyway, so then I'm natting twice, and I'm sure I don't want to do that, so I'm really searching for some clarity here.

Is there anyone here that has done something similar to this and can provide anecdotes or guidance on the way they did it (or improvements)?

My requirements:

I have to use Site-to-Site VPNs. because dedicated circuits are cost prohibitive.
I have to be hardware agnostic, because each site has different routers.
(At least I can mandate that the site has a VPN capable router).
Each site acts as an independent entity, so I can't re-IP networks.

Any thoughts, comments, suggestions welcome.


Welcome to our community! :smiley:

You can easily attach tags to events in Filebeat, so for eg you could setup each site and attach a tag that specifies what division/location the events come from. That would allow you to filter by IP, but then also ensure you can see what source network the event is coming from.

I presume the same tagging can be done with MetricBeat and PacketBeat?

Yep, it's part of the underlying libbeat funtionality - Add tags | Metricbeat Reference [7.10] | Elastic

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.