Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense OpenVPN client limitation? Can't have outbound NAT on 2 connections

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 2 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      irvingpop
      last edited by

      Strange issue encountered today.   Setup pfSense as OpenVPN Client + Outbound NAT to 2 different OpenVPN servers.   Half of packet flows are NATed correctly,  the other half get the wrong Interface address.

      Tcpdump shows ping from the same source/destination,  but half of the attempts show the wrong Interface address (in bold):

      tcpdump -nl -i ovpnc2
      10:50:06.164800 IP 192.168.32.240 > 192.168.32.1: ICMP echo request, id 55374, seq 0, length 64
      10:50:06.355142 IP 192.168.32.1 > 192.168.32.240: ICMP echo reply, id 55374, seq 0, length 64
      10:50:07.165583 IP 192.168.32.240 > 192.168.32.1: ICMP echo request, id 55374, seq 1, length 64
      10:50:07.349600 IP 192.168.32.1 > 192.168.32.240: ICMP echo reply, id 55374, seq 1, length 64
      10:50:08.166405 IP 192.168.32.240 > 192.168.32.1: ICMP echo request, id 55374, seq 2, length 64
      10:50:08.348864 IP 192.168.32.1 > 192.168.32.240: ICMP echo reply, id 55374, seq 2, length 64
      10:50:09.234826 IP 172.17.220.6 > 192.168.32.1: ICMP echo request, id 86, seq 0, length 64
      10:50:10.235572 IP 172.17.220.6 > 192.168.32.1: ICMP echo request, id 86, seq 1, length 64
      10:50:11.236355 IP 172.17.220.6 > 192.168.32.1: ICMP echo request, id 86, seq 2, length 64
      10:50:12.237197 IP 172.17.220.6 > 192.168.32.1: ICMP echo request, id 86, seq 3, length 64
      10:50:19.268909 IP 192.168.32.240 > 192.168.32.1: ICMP echo request, id 58478, seq 0, length 64
      10:50:19.451321 IP 192.168.32.1 > 192.168.32.240: ICMP echo reply, id 58478, seq 0, length 64
      10:50:20.268986 IP 192.168.32.240 > 192.168.32.1: ICMP echo request, id 58478, seq 1, length 64
      10:50:20.451426 IP 192.168.32.1 > 192.168.32.240: ICMP echo reply, id 58478, seq 1, length 64
      10:50:21.866942 IP 172.17.220.6 > 192.168.32.1: ICMP echo request, id 29142, seq 0, length 64
      10:50:22.867803 IP 172.17.220.6 > 192.168.32.1: ICMP echo request, id 29142, seq 1, length 64
      10:50:23.868602 IP 172.17.220.6 > 192.168.32.1: ICMP echo request, id 29142, seq 2, length 64

      The 2 OpenVPN client interfaces:

      ovpnc1: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500
	options=80000 <linkstate>inet6 fe80::20d:b9ff:fe24:7288%ovpnc1 prefixlen 64 scopeid 0x8 
	inet 172.17.220.6 --> 172.17.220.5 netmask 0xffffffff 
	nd6 options=3 <performnud,accept_rtadv>Opened by PID 23796
ovpnc2: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
	options=80000 <linkstate>ether 00:bd:cf:08:00:02
	inet6 fe80::2bd:cfff:fe08:2%ovpnc2 prefixlen 64 scopeid 0x9 
	inet 192.168.32.240 netmask 0xffffff00 broadcast 192.168.32.255
	nd6 options=3 <performnud,accept_rtadv>Opened by PID 27140</performnud,accept_rtadv></linkstate></up,broadcast,running,simplex,multicast></performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast>

      relevant Outbound NAT rules:

      
OpenVPN = "{ openvpn }"
nat on $WAN  from 172.16.42.0/24 to any -> XXX.XXX.XXX.XXX/32  static-port
nat on $WAN  from 127.0.0.0/8 to any -> XXX.XXX.XXX.XXX/32 port 1024:65535
nat on $OpenVPN  from 172.16.42.0/24 to 192.168.32.0/24 -> (openvpn) port 1024:65535
nat on $OpenVPN  from 172.16.42.0/24 to 172.16.220.0/24 -> (openvpn) port 1024:65535

      It seems that the rules aren't flexible enough to handle Outbound NAT on 2 different OpenVPN client interfaces (ovpnc1 and ovpnc2).
      Any suggestions on how to make this work?   TIA

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Easily solved by assigning each instance as its own interface and then applying NAT rules on the interface specific to the connection you want it to work upon.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • I
          irvingpop
          last edited by

          @jimp:

          Easily solved by assigning each instance as its own interface and then applying NAT rules on the interface specific to the connection you want it to work upon.

          Jim,  thanks for the tip.  It's obvious how to do this in the plain-text files,  but not so obvious (to me) how to do it in the PFsense GUI.

          What I see now is that you must assign an "Interface" via Interfaces->Assign to each OpenVPN client interface (ovpnc1, ovpnc2) and then assign an Outbound NAT to each one.

          Perhaps a Wiki topic for future users?

          Thanks again!

          ![Screen Shot 2011-12-07 at 9.37.00 AM.png](/public/imported_attachments/1/Screen Shot 2011-12-07 at 9.37.00 AM.png)
          ![Screen Shot 2011-12-07 at 9.37.00 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2011-12-07 at 9.37.00 AM.png_thumb)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.