NAT and OpenVPN



  • Hi guys, i have this following cenario:

    Server 01: 10.36.1.1
    Server 02: 10.46.1.1

    The Server 02 is a OpenVPN client from server 01. I have a external access to server 01 and on him i created the NAT rule:

    public_ip_server_01:8081 redirect to internal_ip_on_server2_in_openvpn: 10.46.1.200:80

    This redirection does not work. When i use any internal server01 server ip, then it start to work.

    NAT Rule:

    Source Any
    Destination WAN adress ( this is the openvpn interface)
    destination port: 8081

    redirect: 10.46.1.200
    port http

    Rule Generated Automatically:

    Interface GVT
    Source Any
    Destination Single host/alias 10.46.1.200
    Destination port range http/http

    Anyone can help?



  • I think, the forwarding is working, but server02 will send responses to requests coming along the vpn to his default gateway instead to the vpn server.

    There are 3 ways to resolve this. Which one you should use depends on your environment.

    • If you don't need another default route on server02 set it to the vpn server.

    • If it is just a single IP which access server02 over vpn, route this IP back to vpn server.

    • NAT: let the vpn server translate the source IP of packets intended for server02 to the vpn servers address. This can be done by outbound NAT.



  • Hi viragomann,

    Thanks for reply! Im not a pfsense professional, how can i do one of this steps? The second one sounds more easy for me.
    It's a DVR access, so i only need this ip accessible on server 02.

    Can you help me?

    Thanks!



  • That depends on the OS. Server02 is also pfSense?

    If so, presumed you have already assigned an interface to the openvpn client, just go to System > Routing > Static routes, add a new route, enter the public IP which you want to access server02, select the openvpn gateway and save the route.

    However, I don't have an idea what you're intending. This just works on the vpn client. For hosts behind that only works if the pfsense running the client is the default gateway.



  • Viragomann, thanks for attention!

    My problem is : I need to access one server (which is on the server 02) over the Internet. My server 01 (both are pfsense) has a fixed Internet IP , which helps me in managing the access easier .

    The vpn connection is already active , then the server 01 I have access any machine behind the server 02 by the vpn tunnel .

    The problem is NAT , when I try to direct any wan request  by server 01 (which has fixed IP) to the server 02 through the vpn (which is already up and running ) I can not.

    directly access the server 02 would be a problem because the internet ip is not fixed and I need to use services like no-ip to manage .

    what u mean " the public IP which you want to access server02 " ?
    In my mind i will access server 02 with the server 01 public ip. I'm not right?

    Thanks!!!



  • @pilot007:

    The vpn connection is already active , then the server 01 I have access any machine behind the server 02 by the vpn tunnel .

    So it's still cloudy if either server02 (I'll call it pfSense2 for clearness) is the default gateway for the hosts behind or pfSense1 has a route to this subnet (this will be defined by openvpn settings).  ???

    But why do you forward the traffic to pfSense2 LAN address? Or is that a static vpn address?
    If you've set up the routes between the two sites you can also forward the traffic directly to the destination server.

    For clarity, please tell us the IP of the destination host and the subnet behind pfSense2 and if it is the default gateway at the destination host.
    And post the routing tables of both sites. You can find it in Diagnostic > Routes.



  • Pfsense 1 has a route to pfsense 2 with openvpn. Each one is its own default gateway.

    I can send pfsense01 of internal packages for pfsense02 through VPN normally. The problem happens when I try to send these packets through a NAT rule over the WAN pfsense01.

    I sent a message with te server routes.

    Thanks!!!