NAT Problems

socke

Hey there,

I have the following scenario:

There is a site-to-site OpenVPN connection between FW-1 and FW-2. Client 1 should be able to reach http://172.16.1.21 (via NAT address). A NAT is set up on the OpenVPN interface on FW-2. FW-3 is connected to the WAN interface of FW-2 via which the Internet connection is established and other devices are connected. These include the device with the IP 172.16.1.21, which is to be reached from the FW-1 network. In the log of the FW-2 I can see that the connection arrives there: 10.200.0.100:60778 -> 172.16.1.21:8080 (10.231.0.160:8080) CLOSED:SYN_SENT
10.200.0.100 is the local LAN network of the FW-1. What am I doing wrong?

viragomann

@socke said in NAT Problems:

A NAT is set up on the OpenVPN interface on FW-2.

Why?
You can do this though, but it should not be necessary if you have set the remote network properly in the OpenVPN settings.

10.200.0.100 is the local LAN network of the FW-1

Not clear, how the LAN IP come into play here.

Anyway, the easiest way to solve might be to masquerade the traffic on FW1 OpenVPN interface by an outbound NAT rule.

Firewall > NAT > Outbound
Enable the hybrid mode and save this setting.

Add a rule:
interface: OpenVPN (or this one, you have assigned to the connection)
protocol: TCP
source: LAN net
destination: with the NAT it might be the OpenVPN IP of FW2, otherwise 172.16.1.21
translation: interface address

There is also a better solution with routing, but this is more complicated and you would have to provide more details.

socke

@viragomann
Thanks a lot!