Quick NAT question
-
Can someone explain please, in laymans' terms, if and why I need to make an additional entry to my firewall > NAT > outbound rules, if I plan on adding an OpenVPN client?
At present the pfsense box is a simple set up at home - just lets pc's onto the internet by giving each an IP address from the box's DHCP server, no OpenVPN at all at this point.
I want to add an OpenVPN client so some PC's are directed straight to the openVPN provider instead of my normal internet provider
At present my NAT rules are totally standard, nothing added yet to support OpenVPN client, but I'm confused as to WHY I need an additional NAT rule for OpenVPN?
Is it because an additional NAT forwarding table is required?
Thanks in advance
-
not sure where you got the idea that you would need an extra outbound nat if your just going to run an openvpn client on some pc behind pfsense. There is not need for this.
-
not sure where you got the idea that you would need an extra outbound nat if your just going to run an openvpn client on some pc behind pfsense. There is not need for this.
Thank you, that's what I thought.
So assuming my laptop needed to go out to my OpenVPN provider, and the rest just needed to use my internet provider, then this is set up in…
Firewall > Rules > LAN
Correct?
-
Your client talking to some vpn provider is out on the internet.. There is nothing special you have to do anywhere in pfsense for that to happen… The vpn server your client is talking to is on the internet - like the rest of the internet.
Unless you have changed the default any any rule pfsense out of the box has on your lan - there is nothing you would have to do to allow your PC behind pfsense to talk to some vpn provider out on the internet.
Think maybe your confusing stuff that has to be done if you want pfsense to be the vpn client and route specific clients on your network to use the vpn connection, while others just use your isp connection. If the client making the connect to the vpn service is a PC on your network there is nothing to do on pfsense for that to happen
-
Your client talking to some vpn provider is out on the internet.. There is nothing special you have to do anywhere in pfsense for that to happen… The vpn server your client is talking to is on the internet - like the rest of the internet.
Unless you have changed the default any any rule pfsense out of the box has on your lan - there is nothing you would have to do to allow your PC behind pfsense to talk to some vpn provider out on the internet.
Think maybe your confusing stuff that has to be done if you want pfsense to be the vpn client and route specific clients on your network to use the vpn connection, while others just use your isp connection. If the client making the connect to the vpn service is a PC on your network there is nothing to do on pfsense for that to happen
apologies, let me clarify,the pfsense IS acting as the openVPN client in this scenario
I want the laptop to have its static IP recognised by the pfsense box, which in turn sends it to the openVPN provider's server
I want all other PC's to simply go to my regular internet provider
I know it seems silly, to have the pfsense box act as the openVPN client for one device, but my intention is to add several more devices in future that need openVPN -
Oh my bad… Sorry I read that as you where going to run the openvpn client on the PC... I miss read your post - sorry about that.
If you want to setup pfsense as the client, then yes you would need to modify your outbound rules to be able to nat your network to the openvpn interface you create when you create the client connection.
This is as simple as switching to hybrid mode and then adding an outbound rule to allow nat of your internal network(s) you want to be able to use the vpn interface.
Since you don't want all your clients to use the vpn, then make sure you set your vpn client in pfsense NOT TO GRAB routes.. Then on the interface pfsense the client you want to use the vpn client, just create a rule sending that client based on its IP, or via destination address or port out the vpn gateway you created.
Make sure on these rules that you remember that rules are evaluated top down, first rule to trigger wins no other rules are evaluated. So if you want clients to be able to talk to other local networks, and such on your local side you need to make sure rules are above this rule to allow that access before you shove the client down the vpn gateway.
Hope that helps.. And again sorry I misread your post it seems.
-
ok, so to re-ask the original question, why do we need to add the additional NAT rule for the openVPN client we'll be adding to pfSense?
-
Why - so pfsense knows to nat the clients to the vpn IP it got.. Unless your vpn server knows all about downstream networks… Ie how to get to say 192.168.1.0/24 (your clients) via its vpn tunnel (172.16.0/30 as example).. Yes you have to nat it..
-
PfSense be default doesn't know what the upstream end of the tunnel is doing with regards to routing. There is no routing protocol in existence (well at least with VPN solutions) that would tell pfSense that the upstream is actually forwarding traffic for your LAN network back over the VPN link to have two-way routing between the ends of the VPN tunnel. Such routing scenarios are always set up explicitly in coordination with both parties.
