OpenVPN Client and NAT
-
Hello,
the gateway for the OpenVPN network is configured automatically when the connection is established. You should not add a gateway manually.
However, the "Routes in pfSense" shown in the drawing may be not correct. It has to pint to 192.168.177.125 like it is shown in the route line underneath.
The packet capture looks strange. I can't find in the drawing where the source IP 192.168.3.210 comes from. Besides that, with the NAT rule I suggested, the source IP has to be the OpenVPN clients IP 192.168.177.126 in the OpenVPN tunnel not matter what's the real source.
So I think, you deed something wrong.As mentioned, as long as you are running only one OpenVPN instance, there is no need to assign an interface to it. However, it won't be a drawback if you do that.
The OpenVPN interface is an interface group in the strict sense and includes all OpenVPN instances, regardless if its a client or a server.br
-
I have 2 ovpn server and one Client configured.
I updated the picture, because the route was misstyped.The ping from OVPN interface to Server is OK but when I ping from LAN interface, no response.
If I use Outbound NAT, it should be replace the source (ex. 192.168.3.1) IP address to the OVPN address (192.168.177.170) if I understan right.
-
As already mentioned, if you're running multiple OpenVPN instances you must assign an interface to the site-to-site client for enabling correct routing.
Also still not got, where the 192.168.3.1 comes from. It is shown in "ping from LAN interface", but in the drawing you LAN is 192.168.5.1.
-
Yes, correct I made a mistake in pic 192.168.5.5 -> 192.168.3.5 (this was the previous config, corrected it).
I already assigned ovpn client to a interface (name: CORBA)The routing is correct and the traffic is routed to the tunnel but the other end (server) has no route backward.
(because this is not a site-to-site VPN, just a client VPN config)This is why I need NAT. Outbound NAT configured.
-
The new network schema includes the same mistakes at the former. So still no clearness here.
Also I don't understand the meaning of the "Port test from pfSense". "Connect to the server on TCP 3389 from OpenVPN interface"???
Do you mean the one capture is taken on the OpenVPN interface and the other one on LAN?
If so, what was the real source IP? -
The client subent is 192.168.3.0/24. Now the test client IP is 192.168.3.210 (corrected on previous pic).
My test cases is the follow:1; ping from pfsense OVPN interface to server (192.168.177.170->192.168.143.9) -> success
2; ping from pfsense LAN interface to server (192.168.3.1->192.168.143.9) -> failed, no route backward
3; PORT test from pfsense OVPN interface to server (192.168.177.170->192.168.143.9:3389) -> success
4; PORT test from pfsense LAN interface to server (192.168.3.1->192.168.143.9:3389) -> failed5; ping from test client to server (192.168.3.210 -> 192.168.143.9) -> failed, the packet cature show this packets also
4; PORT test from test client to server (192.168.3.210 -> 192.168.143.9:3389) -> failed, the packet cature show this packets alsoI always made capture on pfsense OVPN interface.
-
It seems that your Outbound NAT rule is not working.
Please post the Outbound NAT page for verifying the settings.
-
Yes, it seems to be…
-
The Outbound NAT settings look fine, however, the rule seems not to be applied.
Ensure, that firewall is not disabled in System > Advanced > Firewall & NAT
Also please take the capture you've made before on the COBRA interface, to confirm that the packets are routed into the correct vpn tunnel.
-
All settings are default.
The NAT between the LAN-WAN (and OPT1) works as expected. (I use dual-WAN config and Gatewas groups).Packet capture was showd the packets with original addresses.
