Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT and OpenVPN - SOLVED

    Scheduled Pinned Locked Moved NAT
    11 Posts 3 Posters 3.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J Offline
      jgottlieb
      last edited by

      First off, I apologize for the cross post.  I posted this originally in the OpenVPN forum and after trying various things based on feedback, I think this is more of a NAT issue.

      I had this working in a simpler configuration under 1.x.  Now I've rebuilt my firewall with 2.03 and have dropped another DSL connection in.

      So I have two LAN segments - 192.168.1.x and 192.168.2.x.  And two WAN connections.

      I've configured OpenVPN following the Wizard and I am able to connect to it and reach both internal LAN segments.

      What I can't do is hit the Internet once connected.  I have OpenVPN configured to funnel all traffic through the VPN (which is what I want).

      It resolves DNS just fine.  But when I try to go anywhere or even ping an internet address it goes nowhere.  I'm running AON and manually added the NAT statement on the WAN interface that OpenVPN is configured on for the VPN pool (192.168.3.x).  But still nothing.

      I'm assuming I'm missing a basic step.  I've poured through the forums and haven't found anything.

      Any help would be greatly appreciated.

      Thanks,

      Joshua

      NAT1.jpg
      NAT1.jpg_thumb
      NAT2.jpg
      NAT2.jpg_thumb

      1 Reply Last reply Reply Quote 0
      • P Offline
        phil.davis
        last edited by

        You probably want another NAT rule on WAN_OFFICE for 192.168.3.0/24 - if that is your default gateway then the traffic being directed ffrom the OpenVPN client, across the OpenVPN and to the real internet will go out your default gateway (unless you have some other policy routing rule on OpenVPN that directs it out WAN_HOME).

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • J Offline
          jgottlieb
          last edited by

          Hmmm.  WAN_HOME is the default gateway, but I suppose it can't hurt to set the NAT on WAN_OFFICE as well right?  I'll give it a try.

          1 Reply Last reply Reply Quote 0
          • K Offline
            kejianshi
            last edited by

            Strange labeling.

            Mine are labeled like LAN outbound.
                                        Openvpn1 Outbound
                                        Openvpn2 Outbound

            Basicly just make sure that every subnet you want to be able to see the internet is represented.

            So, the easy thing to do, go to your LAN rules that were already there and click the +
            Then when the new rule pops up, chang the subnet to whatever subnet you are assigning to Openvpn.
            Now, that is outbound NAT.

            Now, in the firewall rules, make sure that you have an entry there on openvpn that looks nearly identical to you default LAN rules.  The Important one is pass everything to anywhere.  No need for anti lockout rules on the openvpn firewall rule.

            But, if you post a pic of all firewall rules, outbound NAT rules and openvpn setup page, this will be done in just a few minutes.

            1 Reply Last reply Reply Quote 0
            • J Offline
              jgottlieb
              last edited by

              Here are the OpenVPN settings and the Firewall Rules and the NAT screenshots as requested.

              I know this can't be that complicated given what others do with pfsense.  I can only assume like you said there is some simple setting that I have missed.

              I really appreciate you checking out the configs and seeing if you can spot my blunder.

              Thanks,

              Joshua










              1 Reply Last reply Reply Quote 0
              • K Offline
                kejianshi
                last edited by

                Do you have a WINS server?

                1 Reply Last reply Reply Quote 0
                • K Offline
                  kejianshi
                  last edited by

                  Try this for a moment.  Remove the WINS server IP.  No wins server.
                  Also, remove 192.168.1.1 in the DNS list you will supply to clients.
                  Try it with only the 8.8.8.8 and 8.8.4.4

                  See how it works.

                  1 Reply Last reply Reply Quote 0
                  • J Offline
                    jgottlieb
                    last edited by

                    Ok, so I managed to get it fixed.  It looks like for some reason WAN_OFFICE got set as the default gateway.  I thought WAN_HOME was set as the default.  I only had the NAT for the 192.168.3.x (VPN Address Pool) set on the WAN_HOME interface.  I had configured OpenVPN to run on the WAN_HOME interface so I figured that was the only place I needed to set the NAT.  And I thought WAN_HOME was the default gateway.

                    So I configured the NAT on both the WAN_HOME interface and WAN_OFFICE.  Now it works fine!

                    Thanks for all the help everyone!

                    Joshua

                    1 Reply Last reply Reply Quote 0
                    • K Offline
                      kejianshi
                      last edited by

                      :-\

                      1 Reply Last reply Reply Quote 0
                      • P Offline
                        phil.davis
                        last edited by

                        Your traffic coming in from across the OpenVPN (arriving on WAN_HOME OpenVPN server) and going to the internet is using WAN_OFFICE to get out to the internet. If you are happy with that, then don't mess with it.
                        I expect you could add a policy-routing rule on OpenVPN - make an alias "Internal-LANs" containing the LAN_HOME and LAN_OFFICE subnets. Then add the rule on OpenVPN, source any, destination !Internal_LANs, and gateway WAN_HOME - that should push that traffic out WAN_HOME instead of WAN_OFFICE.

                        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                        1 Reply Last reply Reply Quote 0
                        • J Offline
                          jgottlieb
                          last edited by

                          I actually just set WAN_HOME as the default gateway so that takes the traffic back out that interface.  I have the policy based routing on the LAN's to send them out their respective WAN connections.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.