Use of "No BINAT" to exclude WAN VIP not working.



  • Hi All,

    I am trying to setup OpenVPN and am having issues that I realize are related to our 1:1 NAT.

    We have a /24 but our provider does not route to us, instead they own the equipment at .1 and we are essentially on a switch port. Meaning we need answer ARP requests using Virtual IP and use 1:1 NAT.

    Given network AA.BB.CC.0/24 , upstream default gw is AA.BB.CC.1 , our pfsense is AA.BB.CC.4/24

    We have 1:1 NAT for AA.BB.CC.8/24 -> 10.10.1.8/24

    I was hoping from the text of the "External subnet IP" box that we could 'start' on an ip not necessarily at the beginning of a network.

    Enter the external (usually on a WAN) subnet's starting address for the 1:1 mapping. The subnet mask from the internal address below will be applied to this IP address.

    That apparently doesn't work, as AA.BB.CC.4 is being NAT'ted to 10.10.1.4

    I tried adding a rule
      No Binat (not)
      External subnet IP: AA.BB.CC.4
      Internal IP: Single host or Alias : 10.10.1.4

    but that did not seem to work.
    If I completely disable the 1:1 NAT , the OpenVPN works instantly.  And I can see in the state table my outside connection going from  outside_ip -> AA.BB.CC.4 -> 10.10.1.4

    Any thoughts or suggestions how to implement this?

    Shane


Log in to reply