Again, Dual WAN, VPN - some questions
-
Hi there,
I know there are several questions on this topic, so I'm a little bit sorry to ask again…
I just wanted to get some info on the Following Setup:
I have 2 WAN Interfaces, one is connection via PPPoE (WAN1), the other one is behind an Netgear Router(WAN2).
Then I got an Lan Interface, there are connecting about 20 Computers to this interface via an Switch.
Then I got an OpenVPN up & running. This VPN is connected & routed through WAN1.
So here is my question:
Is it possible to route all Internet Request from Clients to WAN2? I'm curios because there has to take place a 2 way NAT. Never heard about such thing, and I'm in doubt if the routers can handle it! (The Netgear ROuter has to do NAT, and psSense has to do it also…).
So i just wan't all internet access via WAN2..., just VPN Stuff get's through WAN1.
What do you think, is it an easy task? I don't wan't to try this solution if it is going to be a long,annoying task :)
I would appreciate any info/experience on this task :)
-
It is easy. You need to use advanced outbound NAT to NAT the Traffic from your VPN subnet out.
You can specify in the firewall-rules what gateway should be used (WAN1 or WAN2).
Double NAT is no problem. (using it). -
It is easy. You need to use advanced outbound NAT to NAT the Traffic from your VPN subnet out.
uh….
1. i thought when using outbound NAT, all the automatic NAT is getting turned off by pfSense
2. the VPN Traffic is routed via the PPPoE connection, at the moment, there is no NAT needed... Internet via the Second WAN device (that device that is behind the Netgear router) is not working at the moment. Did you mean to change the setup?Tommorow, I will give it a try.... thanks for the reply :)
-
1. i thought when using outbound NAT, all the automatic NAT is getting turned off by pfSense
Kind of. the default NAT-rule for LAN is autoadded.
But what do you mean with "automatic NAT" ?
You define on the Advanced outbount NAT-page how pfSense NATes. So if you just add manually the rule that is normally hidden there there is no problem :)Just setup a rule that NAT's traffic from your LAN-subnet to WAN1 and a rule that NAT's traffic from your VPN-subnet to WAN2.
-
Well, i gave it a try today. Internet Traffic is routing well. OpenVPN seem to be a little bit wrecked…
- I Route all traffic that has the VPN Server address as destination, to the gateway of OPT1.
- i also tried to route the endpoint of tun0 to the OPT1 Gateway - then the VPN was accesseable!
VPN did it's job for a few seconds.
I don't know exactly what went wrong, but there is a problem.- The VPN Client is connected, but isn't working anymore.
- The packet filter logs many blocked outbound traffic on tun0.
After all i know, i can only set up rules for physical network interfaces with the packet filter.
Maybe I configured the wrong routing?
Maybe missed a point in the rule setup?Just setup a rule that NAT's traffic from your LAN-subnet to WAN1 and a rule that NAT's traffic from your VPN-subnet to WAN2.
That's something i missed to configure. I'm not sure what the rule is going to rewrite. Maybe i'm thinking a little bit weird, but isn't it enough when the VPN CLient can connect and is able to receive data from the Server? I set up a static route:
Interface: OPT1, Gateway: Router before PFsense, Network: VPN Server IP/32
On the Netgear router I port-forwarded all traffic from the VPN Server to OPT1 IP….
I don't even get the point why the packetfilter watches the virtual tun0 interface... Is that default?
-
Well, i gave it a try today. Internet Traffic is routing well. OpenVPN seem to be a little bit wrecked…
- I Route all traffic that has the VPN Server address as destination, to the gateway of OPT1.
- i also tried to route the endpoint of tun0 to the OPT1 Gateway - then the VPN was accesseable!
these rules are bit wrong.
if you redirect traffic with destination firewall to OPT1 you route only the traffic to the firewall (not any point in that since the traffic reches it's destination when it's on the firewall)–> add on advanced NAT an NAT rule with:
first rule:
interface: the interface you want your traffic NATed to (WAN2).
destination: any
source: your remote subnet.second rule:
interface: the interface you want your traffic NATed to (WAN1).
destination: any
source: your local subnet.VPN did it's job for a few seconds.
I don't know exactly what went wrong, but there is a problem.- The VPN Client is connected, but isn't working anymore.
- The packet filter logs many blocked outbound traffic on tun0.
could you post the log-output of openvpn when that happens?
After all i know, i can only set up rules for physical network interfaces with the packet filter.
Maybe I configured the wrong routing?
Maybe missed a point in the rule setup?Just setup a rule that NAT's traffic from your LAN-subnet to WAN1 and a rule that NAT's traffic from your VPN-subnet to WAN2.
That's something i missed to configure. I'm not sure what the rule is going to rewrite. Maybe i'm thinking a little bit weird, but isn't it enough when the VPN CLient can connect and is able to receive data from the Server? I set up a static route:
Interface: OPT1, Gateway: Router before PFsense, Network: VPN Server IP/32
On the Netgear router I port-forwarded all traffic from the VPN Server to OPT1 IP….
I don't even get the point why the packetfilter watches the virtual tun0 interface... Is that default?
You dont need to setup manually static routes since that shoudl be handled by the openVPN process.
Take a look at the openVPN-MAN-pages (–> route and iroute commands)I think you missunderstood how the traffic from the remote network is being handled.
If traffic from your remote subnet arrives at the firewall then the headercontent of the packages contains as source still the remote subnet. Just because the firewall processes the traffic and forwards it does not mean it originates after that from the firewall (except when you NAT it on the way of course) -
Hi there, i tried it with the 1.2 RC2 Version, then everything wrked fine - no problems with blocked vpn traffic anymore :)
