Advice for OpenVPN w/ Outgoing NAT

Helix26404 · Jan 16, 2007, 2:57 AM

To those of us who have multi-WAN interfaces that are using OpenVPN:

If you are using outbound NAT to map certain subnets or computers/hosts to certain WAN gateways, you need to add an explicit firewall rule on the LAN interface to permit traffic from any source (or certain networks/hosts) on your LAN to the OPVN interface address and the remote network. A default rule "permit all" will NOT work because of the outbound NAT rules.

For instance, in my scenario:

172.16.10.0/24 - Local (Interface) LAN subnet
172.16.20.0/24 - Local (VoIP) LAN subnet
172.16.30.0/24 - Local (Data) LAN subnet

Each of these subnets come through ONE interface (the pfSense LAN interface).

172.16.40.0/24 - pfSense OpenVPN interface network

192.168.1.0/24 - Remote OpenVPN network

See the attached image for working firewall rules.

Hope this helps someone. I wish I would have known this before my experience!

Helix26404 · Jan 16, 2007, 3:06 AM

I couldn't figure out how to edit my post, but I had one more thing to say.

The key to the firewall rules:

They have to come before your outgoing NAT rules (depicted in the picture).
You must choose "default" for the gateway, so that pfSense can access its internal route table to know where to forward the traffic. Otherwise, it will head out one of the WAN interfaces.

HICHAMB · Apr 23, 2007, 4:17 PM

Hello Helix26404,

Afer 2 weeks of forums searchs and configs changing, i find your post and i do the change and all works fine.

Tahnk you very much Helix26404, maybe your post must be introduced to the main pfsense-openvpn tutorials.

HICHAMB