Client > pfsense WAN <nat>> Opt1 > OpenVPN client</nat>
-
Hello pfsense world. :)
I have pfsense 1.2.3 as my internet gateway. I have WAN, LAN and OPT1 interface. OPT1 is for OpenVPN. When I forward port in NAT pointing to device which is sitting on LAN network, pfsense works fine, and external clients can access resources on that device.
Problem is, when I want to forward port to OpenVPN client, after applying settings, nothing happens.
What am I doing wrong?
Here is my NAT table:
10.10.10.33 is IP adress of one OpenVPN Client connected to OpenVPN Server.
Thanks in advance
-
Are you forcing all traffic of the client to go though the VPN tunnel?
Unless you do, this is what is probably happening:- External users connects to your pfSense.
- Packets are forwarded to your OpenVPN client.
- Since the source is a public IP, and you're not forcing everything through the tunnel, the client answers directly via it's default gateway.
To solve this:
- Force all traffic from the OpenVPN client into the tunnel (redir def1)
- Source NAT on the pfSense so it seems to the OpenVPN client that the requests come from the pfSense and answers correctly.
-
Are you forcing all traffic of the client to go though the VPN tunnel?
No.
- External users connects to your pfSense.
- Packets are forwarded to your OpenVPN client.
- Since the source is a public IP, and you're not forcing everything through the tunnel, the client answers directly via it's default gateway.
It seems so, now I understand why does not work and thanks for that.
- Source NAT on the pfSense so it seems to the OpenVPN client that the requests come from the pfSense and answers correctly.
How to do that? Firewall / NAT / Outbound? What should I do with Automatic outbound rule? Leave that way or change to manual? What to enter in outbound rules to make sure that my LAN subnet won't be cuted of from Internet?
-
Enable manual outbound rule generation.
Per default there will be an auto-generated rule to NAT outbound traffic from the LAN to the WAN.
You need to create a new rule with:
interface: openVPN-interface
source: any
destination: server you NAT to -
10x, I will try that and let you know if it works of not. :D