Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    1:1 NAT through Open

    Scheduled Pinned Locked Moved NAT
    3 Posts 2 Posters 401 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E Offline
      Exotic_Chocolate
      last edited by Exotic_Chocolate

      Hi folks,

      I'm trying to configure 1:1 NAT for an address behind a VPN.

      I have a site-to-site VPN server called relay. relay has a main WAN address of x.x.x.139, and a handful of virtual IPs coming off of WANs gateway.

      Then, I have a site-to-site VPN client called router. router runs 192.168.129.0/24, which uses the relay VPN connection as its gateway. I've set x.x.x.146 to 1:1 NAT with 192.168.129.11. I'm able to browse, ping, or ssh to .146 and get into .11 reliably from anywhere, so I know the inbound side of the 1:1 NAT works.

      The trouble is everything outbound from 192.168.129.11 looks like it's coming from x.x.x.139 (relay's main WAN address), as opposed to x.x.x.146 (the VIP it's 1:1 NATed to).

      The problem looks like what's described here: https://pfsense-docs.readthedocs.io/en/latest/nat/troubleshooting-1-1-nat.html

      But, I'm not running any sort of proxy (that I'm aware of), other than perhaps the VPN itself. The fact that inbound works perfectly makes me think this should be possible.

      The grand goal here is to do a more heavy duty version of what https://portmap.io/ does.

      Somewhat separately, I've wondered if I'm doing too much routing and not enough switching. To that end, I've investigated running OpenVPN in TAP as opposed to TUN mode, but in order for everything to get bridged/DHCPed properly it looks like router would have to be the VPN server as opposed to relay (which defeats the point).

      Thanks

      V 1 Reply Last reply Reply Quote 0
      • V Offline
        viragomann @Exotic_Chocolate
        last edited by

        @exotic_chocolate said in 1:1 NAT through Open:

        The trouble is everything outbound from 192.168.129.11 looks like it's coming from x.x.x.139 (relay's main WAN address), as opposed to x.x.x.146 (the VIP it's 1:1 NATed to).

        So obviously you have an outbound NAT rule on the WAN matching the source IP 192.168.129.11.
        Presumably this rule is processed first and so the 1:1 is skipped.

        Try to remove that outbound NAT rule or edit it so that it doesn't match.
        You may also add a separate outbound NAT rule for that source IP to the top of the rule set, translating to x.x.x.146.

        E 1 Reply Last reply Reply Quote 1
        • E Offline
          Exotic_Chocolate @viragomann
          last edited by

          Thank you @viragomann, that did the trick!

          For anyone who is interested, here are my notes:

          On relay, outbound NAT set to Manual
          relay rule for 192.168.130.0/24 uses WAN address for NAT
          1:1 is setup on relay, mapping x.146 to 192.168.129.11
          ip shows as .139

          Same as above, except outbound NAT mode set to disabled
          no outbound traffic

          Reset to first configuration.
          Disabled outbound NAT on router
          ip shows as .146!

          Re-enabled outbound NAT on router, but disabled it for the 129.0/24 network

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.