NAT to WAN not working when openvpn service is running
-
@nischi said in NAT to WAN not working when openvpn service is running:
I have some specific clients which are routed out the openvpn
How did you do this?
Which pfSense version?
Post the routing table, please (Diagnostic > Routes).
-
-
@nischi Should I post something more to help diagnose with?
-
@nischi
Not clear, why this happens here. There is a known bug on 2.5.1 concerning port forwarding (Port forward works only on interface with default gateway, does not work for alternative wans (CE Only)), however this should not be the case here.It seems to me like response packets on the forwards are routed out to the VPN gateway. You can check that out by sniffing the traffic on the OpenVPN interface while trying to access from WAN using a port checker to be sure, what's going on.
Is the 192.168.1.132 a member of vpn_clients?
-
@viragomann the 192.168.1.132 is a client that is connecting to WAN without openvpn. It's for that client(and any other client not on the openvpn) I can't get the port forwarding to work unless I stop the openvpn service.
I found a thread I thought had a similar problem(I think), but I couldn't get the solution to work since it was depricated.
https://forum.netgate.com/topic/128238/nat-stops-working-in-multi-wan-when-primary-wan-goes-down/6
That thread suggested using "Default gateway switching".Note that the following captures are made with "full" level of detail.
See the text-file 1 1.txt for what was captured on the WAN-interface during the port lookup of 8096 which is NAT/port forwarded to 192.168.1.132See the text-file 2 2.txt for what was captured on the OpenVPN-client-interface doing the same port 8096 lookup from WAN.
See the text-file 3 3.txt for what was captured on the VPN-interface doing the same port 8096 lookup from WAN.
-
@viragomann Hey, I just had to try since you mentioned the open issue earlier. I have updated to 2.6.0.a.20210524.0100 DEV, and it's working as expected now... Thank you for taking your time and pushing me toward the right direction!
-
@nischi said in NAT to WAN not working when openvpn service is running:
See the text-file 1 1.txt for what was captured on the WAN-interface during the port lookup of 8096 which is NAT/port forwarded to 192.168.1.132
WTH! This capture shows that 192.168.1.132 is responding without NAT! The packets go out with the internal IP as source, which cannot be routed.
No clue, where this comes from here.And if you turn off the vpn this works as expected?
There should not be any different regarding this.Your setup seems to me like pfSense is virtualized on an host, where the WAN interface is passed through to pfSense, but the LAN is a virtual NIC.
Is it possible that there is something wrong with this setup? Maybe some traffic is bypassed.
Is the WAN exclusively used by pfSense? -
@viragomann I can't test it again as I've updated. But yes, the case was that if I turned off the openvpn service it was working as expected for the non-vpn clients.
I'm running pfsense inside a VM on unraid(QEMU), with a physical NIC for WAN, and a virtual NIC for LAN. The WAN is exlusive for pfsense and is isolated.
I was very confused by all of this as I'm sure I had these settings working last year. Must have been something in 2.5 that got solved now by the issue mentioned earlier in 2.6.
-
@nischi
Last your was 2.4.5. 2.5.0 came out last February.
Maybe a roll-back is an option for you.https://docs.netgate.com/pfsense/en/latest/releases/versions.html
-
@viragomann btw how could you discern that I was running virtualized?
-
@nischi
The routing table shows the network ports: vtnet0, em0. -
@viragomann oh right, thanks :)
