1:1 NAT to OpenVPN 2.5.0

varyuhin.anton · Mar 26, 2021, 12:13 PM

After 2.5.0 upgrade I cant create 1:1 NAT rule for OpenVPN tunnels. Every time I get this error message: "The interface do not have address from the specified address family" Rules created earlier (2.4.4) are still working, but I cant make any changes to them (same error)

Case Diagram and interface screenshots:
https://imgur.com/a/CfqCreM

This functionality is crucial for connecting networks with overlapping address ranges.
What am I doing wrong?

DaddyGo · Mar 26, 2021, 12:28 PM

@varyuhin-anton said in 1:1 NAT to OpenVPN 2.5.0:

I cant create 1:1 NAT rule for OpenVPN tunnels.

Hi,

Hmmm,..this is interesting
What does the third image cover?
172.29..........etc.

varyuhin.anton · Mar 26, 2021, 12:42 PM

@daddygo said in 1:1 NAT to OpenVPN 2.5.0:

Hmmm,..this is interesting
What does the third image cover?
172.29..........etc.

Hi,
Just an example of the error message and interface differences between versions
For diagram example it could be:
External subnet ip: 172.22.1.10
Internal ip: Single host: 192.168.1.10
172.22.1.0/24 and 172.22.2.0/24 networks are also present in ovpn server/client configurations ( IPv4 Remote network(s) )

cibiri · Apr 30, 2021, 2:43 AM

Hello,
Did you find any solucion for this? I got the same silly error.

Regards,

Christian

cibiri · Apr 30, 2021, 4:01 AM

Hello,
I found the solution for this issue, you can do it manually:

Dump the current ruleset into a file
pfctl -sn > /var/tmp/tempfile
Edit the file using the edit option in the dignostics menu
/var/tmp/tempfile
Import the whole ruleset again
pfctl -Nf /var/tmp/tempfile

Keep in mind this is overwritten for the others configurations that you made in the PfSense by GUI.

For permantent changes, you will need to export a backup of the NAT area, edit the XML with the correct interface and import again.

Regards,

Christian

DaddyGo · Apr 30, 2021, 3:41 PM

@cibiri said in 1:1 NAT to OpenVPN 2.5.0:

Keep in mind this is overwritten for the others configurations that you made in the PfSense by GUI.

Hi Chris,

Well yes that's the tricky part, what happens later, do you always edit?

varyuhin.anton · Apr 30, 2021, 5:03 PM

@cibiri yeah something similar

here's the guide for manual editing config xml files

and here's the bug page

cibiri · Apr 30, 2021, 5:35 PM

@varyuhin-anton that's correct!
For now the process is very manual, but I least we have my Pfsense outbound NAT working, this issue affected our operations :(

We'll wait for the full fix.

acinoarevirn · Nov 4, 2021, 10:47 PM

@cibiri Hi!

Can you post your config?

I'm trying to translate with the newest pfsense but the interface changed and it's not really working

When I configure my nat rule (10.0.64.0 first IP will translate to 192.168.0.0/18 (the overlap)) - my site 0 is 172.x and all my clients (15 of them) are 192.168.0.0/18 )

binat on openvpn inet from 192.168.0.0/18 to any -> 10.0.64.0/18

I;ve also configured OPT1 but nothing.

But it's not working. Any other config somewhere I'm following this tutorial https://docs.netgate.com/pfsense/en/latest/recipes/openvpn-nat-subnets-conflict.html