The answer is yes and no.

No: If you only have 1 public IP address because your OpenVPN will be on the same Public IP as your assets such as a webserver. Yes: If you have 2 Public IPs and the assets you are trying to access are not on the same public IP as your OpenVPN server.

@johnpoz Thanks for the answers.

Thanks Steve!

Finally got the right option.
Had to use NAT + Proxy.

Hi,

it is a typo on the graphic, i need to translate users IP 192.168.231.0/24 into 10.33.25.0/24

on the global architecture, i use a different gateway to route users.

on the vlan created and used to connect pfSense WAN and Meraki, i was able to mention that i would use a different gateway in my interface i.e. Meraki (i use Unifi devices).

Is there route back pointing to 172.30.10.4 on the customer network for the subnet you want use for translation? not for the moment

@dbmadmin

This might be the issue : "cobine 2 wans".

As I have a pfSense, a (one) WAN, default setup, using DHCP and a LAN, default setup, 192.168.1.1/24 - also all default with default DHCP server setup.

I've also a access point, living on LAN (192.168.1.2/24 - gateway 192.168.1.1) and I have a Phone and Whatssapp.

Nothing else it needed : the Whatssapp app can go 'out' and connect to needed servers.

I have also an upstream ISP router, no setting changes needed.

Bump.

@gblenn
I am very grateful for your assistance. I will take your suggestion and advise and see how I can turn this around. Thank you very much for your time

@steveits
I found the problem. Though the screens said to not use redirection, that is what I actually needed to do. It was a simple fix, once I realized the screen instructions were at best misleading. It all works now. Here's what it looks like.

fixed.png

@viragomann
Just wanted to let you know I was able to get this done. I remember a long time ago a list of aliases would show up in some of the fields (since I am using the GUI). I modified the alias to be hosts and that worked when I added the alias as the destination in the Outbound NAT rule.
Thank you for your input.

@dharvey242 glad you got is sorted..

@munchie
If you do SNAT on packets, which are going to a device, it sees only the NAT IP, nothing else.

If you want to see the origin clients IP remove the SNAT rule and set pfSense as default gateway on the web server.

@landomix no it should have an open state for the reply. Presumably the gateway on the server is the pfSense because it works on the other port.
You could check states and/or a packet capture on LAN…
Have you tried a different alt port? It shouldn’t care but…

@viragomann Thanks. It works now.
My mistake is that on Client B, i restricted the source to the VPN tunnel address. Since this is NAT i guess its really just a pass thru and setting the source to any fixed all the issues.

Thank you very much for the help and the patience. Cheers!

@viragomann said in LAN access from VPN:

This replaces the source address with pfSense LAN address, so it's inside the subnet. Maybe this works.

It does work! Thank you very much!

@steveits said in Working in a local network with ports that are forwarded by NAT ?:

@supervisor3000 The top would allow port 53 to the LAN IP. The bottom allows 53 to any IP on the firewall, including the WAN IP or other interfaces. Presumably whatever is making DNS queries is now not using the LAN IP?

Reflection on a given NAT rule doesn't change anything on how other rules are processed.

Of course, all LAN users continue to use the LAN IP as their gateway.
That's why I'm surprised that another rule was needed after the reflection!

@saqqara said in Limiting WAN access by ip question:

https://www.yougetsignal.com/tools/open-ports/

Thank You..... that's what I was hoping...as it would be pointless to do this otherwise but I wanted to be sure... thanks for the url

i wound up setting two outbound nat rules.

found it in this thread jsut modified the rules for our vendor which is flowroute.

https://community.freepbx.org/t/pfsense-firewall-settings-for-sipstation/86702

On the Outbound NAT specify a rule for the WAN interface allowing the PBX via UDP out to Destination (SIP trunk IPs) on Destination Port 5060-5061, NAT address = WAN address, NAT PORT = any, STATIC NAT checked

THEN make another rule for Outbound NAT for the WAN interface allowing the PBX via UDP out to Destination = any, Destination Port = any, NAT address = WAN address, NAT PORT = any, STATIC NAT checked