Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense as OpenVPN client with both SNAT and DNAT

    Scheduled Pinned Locked Moved
    NAT
    openvpn dnat snat policy-routing
    2
    4
    970
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tlovie
      last edited by

      I have a pfSense instance with dynamic IP address that is configured as an OpenVPN client to connect to a Debian Server on the public internet with a static IP address 1.1.1.1. The tunnel is using part of the private ip range 192.168.8.1 (Debian server) and 192.168.8.2 (pfsense). This seems to be working, and the tunnel comes up properly. The pfsense box has a LAN behind it on 192.168.6.4/24
      The design goals that I’m trying to achieve are the following:

      1. Traffic initiated by 192.168.6.8 should be routed over the OpenVPN tunnel, and SNAT is used by the Debian box, to make this traffic appear as though it originates from 1.1.1.1
      2. Traffic inbound to 1.1.1.1 will hit a DNAT rule that will rewrite the destination address to 192.168.6.8 and route it over the OpenVPN tunnel.

      Currently I have the #1 goal met by using a firewall rule on LAN interface of the pfSense box to select the OpenVPN interface as the gateway for this traffic and a SNAT rule on the 1.1.1.1 box to rewrite the source address. I have verified this by ssh out to a third box and when I look at the output of ‘who’ it appears to be someone from the 1.1.1.1 box.
      ssh -b 192.168.6.8 2.2.2.2 //this appears as though 1.1.1.1 is logged in.
      ufw rules.before: -A POSTROUTING -s 192.168.6.8/32 -j SNAT –to-source 1.1.1.1
      I’m also able to view this traffic from the Diagnostics/Packet Capture utility, and I see that my traffic goes out and comes back over the OpenVPN interface (OPT1) in my case. I can see that the source routing is picking this connection up and making it go over the VPN.

      The second design goal is not being met, and what I’m finding is that when the traffic comes from the 1.1.1.1 box, and is being altered by a DNAT rule to have a new destination.
      Ufw rules.before: -A PREROUTING -p tcp -d 1.1.1.1 –dport 25 -j DNAT –to destination 192.168.6.8
      The traffic does arrive on the OpenVPN interface, and I can see it come in with the Diagnostics/Packet Capture with the correct source and destination addresses. I can also see the same traffic on the LAN interface, I can see the traffic coming both to and from the 192.168.6.8 host
      15:53:27.891463 IP 2.2.2.2.37612 > 192.168.6.8.25: tcp 0
      15:53:27.891678 IP 192.168.6.8.25 > 2.2.2.2.37612: tcp 0
      However, I can see the reply getting placed on the WAN interface instead of the OPT1 interface as specified by the source routing rule (which is working for traffic initiated by this host)
      I have spent hours trying to come up with a configuration that will work here – does anyone have some advice?

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        @tlovie said in pfSense as OpenVPN client with both SNAT and DNAT:

        Currently I have the #1 goal met by using a firewall rule on LAN interface of the pfSense box to select the OpenVPN interface as the gateway for this traffic

        So you have already assigned an interface to the OpenVPN client instance on pfSense and the remote hosts IP is shown in System > routing as gateway?

        @tlovie said in pfSense as OpenVPN client with both SNAT and DNAT:

        1. Traffic inbound to 1.1.1.1 will hit a DNAT rule that will rewrite the destination address to 192.168.6.8 and route it over the OpenVPN tunnel.

        Ensure that this traffic is not handled by a floating rule! It has to be handled by rule on the interface you've assigned to the OpenVPN client.
        Check the firewall log to see which rule allows that traffic.

        T 1 Reply Last reply Reply Quote 0
        • T
          tlovie @viragomann
          last edited by

          @viragomann said in pfSense as OpenVPN client with both SNAT and DNAT:

          So you have already assigned an interface to the OpenVPN client instance on pfSense and the remote hosts IP is shown in System > routing as gateway?

          Correct - this is OPT1 in my case.

          @tlovie said in pfSense as OpenVPN client with both SNAT and DNAT:

          1. Traffic inbound to 1.1.1.1 will hit a DNAT rule that will rewrite the destination address to 192.168.6.8 and route it over the OpenVPN tunnel.

          Ensure that this traffic is not handled by a floating rule! It has to be handled by rule on the interface you've assigned to the OpenVPN client.
          Check the firewall log to see which rule allows that traffic.

          Just to clarify the DNAT rule is on the Debian box (1.1.1.1) and the destination is getting re-written there, and it is routed over the OpenVPN link to 192.168.6.8. I can see the traffic arrive on the OPT1 (VPN) interface, and I can also see it getting sent on the LAN- and the reply on the LAN as well. Then instead of the reply getting picked back up the the source routing config - it simply gets sent out the WAN interface - I can watch happen in Packet Capture.

          1 Reply Last reply Reply Quote 0
          • V
            viragomann
            last edited by viragomann

            I was talking about the rules on pfSense, of course.
            As mentioned, such traffic must not be handled by floating rules. I don't know if you've set up some.

            You may also do a workaround with an SNAT rule for that traffic on the Debian system to get the routing work. But maybe that's not the best solution.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post