Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN to IP Alias, NAT reflection not working

    Scheduled Pinned Locked Moved
    General pfSense Questions
    2
    3
    3.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jg3
      last edited by

      Hello.

      I have a problem where Open VPN clients cannot connect to the public IP of a server behind the pfSense firewall.

      From the Internet, connecting to the public IP is no problem - tells me that 1:1 NAT and IP Alias is working.  From inside the protected network, DHCP clients can connect via the public IP - tells me that NAT reflection is working for those clients.    But for clients connected via OpenVPN, there's no such luck.

      OpenVPN is running on the pfSense firewall itself.  The public IP is not the same as the public IP as the firewall (provider assigned multiple addresses).

      I have two 1:1 Nat entries for this host, using each of the WAN and OpenVPN interfaces.  I also have checked the option to "Automatically create outbound NAT rules which assist inbound NAT rules that direct traffic back out to the same subnet it originated from."

      My outbound NAT rules are automatically generated. (is there a way to view these?)

      What should I set so OpenVPN clients can connect to the Public IP of this server?

      Posted to General because I don't know if this is a NAT, OpenVPN, Alias, or some other problem.

      1 Reply Last reply Reply Quote 1
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        AFAIK, NAT reflection does not work with OpenVPN-connected networks.

        Have them access it via the internal IP, not the public IP.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • J
          jg3
          last edited by

          Thanks for the reply.

          I actually figured out a workaround … I created another 1:1 NAT rule with OpenVPN as the interface.  Otherwise the rule is the same for the 1:1 NAT rule that sends public traffic to the private IP.

          NB: for OpenVPN clients who do not use the "send all traffic over the VPN" option, accessing the public IP is no problem, but for clients who DO send all their traffic over the VPN, this is necessary to connect to public IPs.  In a few critical scripts which we share with our customers the public hostname/IP is configured, so staff who might use those scripts from a hotel/airport/conference while tunneling all traffic to the firewall make this configuration requisite.

          1 Reply Last reply Reply Quote 0
          • T Teddy 0 referenced this topic on
          • T Teddy 0 referenced this topic on
          • T Teddy 0 referenced this topic on
          • First post
            Last post