Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Outbound nat on tap / VPN

    Scheduled Pinned Locked Moved NAT
    3 Posts 2 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y
      yanosz
      last edited by

      Hello,

      I've some trouble setting up outbound-nat on pfsense 1.2.3-release - can you help me out?
      setup - (relevant) networks:

      • lan: 192.168.40.0/24

      • wan: pppoe, one dynamic ip

      • OpenVPN (tap / layer2) 192.168.150.20/30 - local address (pfsense): 192.168.150.22 - remote address: 192.168.150.21

      rules (to be implemented):

      • lan clients are allowed to access wan (and should be masqueraded)

      • lan clients are allowed to access 192.168.150.21 (remote vpn host)

      Configuration options on the remote VPN hosts are restricted (and cannot be changed):

      • its tap interface is bound to 192.168.150.21/30

      • no routes can be set (by that, setting a route for reaching 192.168.40.0/24 via 192.168.150.22 is impossible)

      Thus all traffic reaching the remote host must have 192.168.150.22 as source-address and pfsense must run network-address-and-port-translation (masquerading to 192.168.150.22) for all packages going out on the tap device coming from 192.168.40.0/24.

      Outbound-nat is configured this way:

      Accessing wan works, icmp-echo from 192.168.150.21 to .22 (and vice-versa), too.
      But somehow, packages coming from 192.168.40.0 are not masqueraded and echos fail (caputure output running on tapvpn)

      15:49:07.694554 IP 192.168.40.197 > 192.168.150.21: ICMP echo request, id 1, seq 149, length 40
      15:49:12.568993 IP 192.168.40.197 > 192.168.150.21: ICMP echo request, id 1, seq 150, length 40
      15:49:17.393671 arp who-has 192.168.40.1 tell 192.168.40.197 (***)
      15:49:17.577939 IP 192.168.40.197 > 192.168.150.21: ICMP echo request, id 1, seq 151, length 40
      15:49:22.574349 IP 192.168.40.197 > 192.168.150.21: ICMP echo request, id 1, seq 152, length 40

      Furthermore, I wonder what (***) is doing here. There is no bridge set up.
      What may be wrong in my setup?

      Thanks in advance,
      Keep smiling
      yanosz

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        In your rule for the VPN you've set a single address.
        This mean that traffic on this interface is only NATed when this rule matches. –> only when you acces the remote end of the tunnel.

        Set the destination to "any" and all traffic leaving via the VPN should be NATed.

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • Y
          yanosz
          last edited by

          Hello,

          @GruensFroeschli:

          In your rule for the VPN you've set a single address.
          This mean that traffic on this interface is only NATed when this rule matches. –> only when you acces the remote end of the tunnel.

          Set the destination to "any" and all traffic leaving via the VPN should be NATed.

          Thanks for your reply - but:
          There is just one machine at the remote end of the tunnel, thus: If a packet goes done the tunnel it's meant for the one (and only) remote machine.
          Anyway, I noticed (by accident ;) ) that my settings worked out right after rebooting pfsense. (Maybe natd wasn't restarted, when needed?)

          Keep smiling
          yanosz

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.