Enabling OpenVPN Server Results in every-other connection failing

RobEmery

Hello,

I have a strange problem. I have my pfSense (2.3.1_1) box configured as an OpenVPN Client and```
redirect-gateway def1

Interface OpenVPN
protocol any
source network 172.30.0./24 (my LAN)
destination any
Translation address: interface address.

This works as expected, the other side of the VPN receives traffic NAT'd with the client IP of the OpenVPN client tunnel.

I also want to allow myself to Dial-IN VPN to my network; I have configured OpenVPN server etc.

When I enable the OpenVPN Server in the pfSense GUI, every-other outbound connection fails from machines on the LAN. I have run a traffic capture on the firewall on the OpenVPN client interface and I see that each new outbound connection's source IP address is alternating between the correct IP and the IP address of the Dial-In Open VPN Tunnel network.

18:33:34.459329 IP 172.30.1.66 > 8.8.4.4: ICMP echo request, id 14954, seq 1, length 64
18:33:34.486450 IP 8.8.4.4 > 172.30.1.66: ICMP echo reply, id 14954, seq 1, length 64

• I Press ctrl+C on the ping and re-run the ping command
  18:33:35.498971 IP 192.168.48.1 > 8.8.4.4: ICMP echo request, id 43822, seq 1, length 64
  18:33:37.787437 IP 192.168.48.1 > 8.8.4.4: ICMP echo request, id 33652, seq 1, length 64
• I Press ctrl+C on the ping and re-run the ping command
  18:33:39.306957 IP 172.30.1.66 > 8.8.4.4: ICMP echo request, id 25940, seq 1, length 64
  18:33:39.333662 IP 8.8.4.4 > 172.30.1.66: ICMP echo reply, id 25940, seq 1, length 64

I am very confused as to why enabling the server affects my outbound NAT at all? Unless I've completely misinterpreted the behavior?

Help!
Thanks,
Rob

viragomann

@RobEmery:

I have the NAT in hybrid mode with one additional rule to the automatics which is :

Interface OpenVPN
protocol any
source network 172.30.0./24 (my LAN)
destination any
Translation address: interface address. 

This works as expected, the other side of the VPN receives traffic NAT'd with the client IP of the OpenVPN client tunnel.

When I enable the OpenVPN Server in the pfSense GUI, every-other outbound connection fails from machines on the LAN. I have run a traffic capture on the firewall on the OpenVPN client interface and I see that each new outbound connection's source IP address is alternating between the correct IP and the IP address of the Dial-In Open VPN Tunnel network.

If you're running an openvpn client and server together you have 2 virtual openvpn interfaces which are handled as an interface group by pfSense. So the outbound NAT rule you've configured above alternates the interface addresses in a round robin manner.

To solve, you've to assigns an interface to each, client and server (Interfaces > assign). Then use the clients interface in the outbound NAT rule.

RobEmery

Hello,

@viragomann:

To solve, you've to assigns an interface to each, client and server (Interfaces > assign). Then use the clients interface in the outbound NAT rule.

Thanks, I'll try that in a minute!

I had a feeling it might be something similiar to this; it seems strange to me that it would NAT onto the wrong interface? I appreciate that there are 2 'rules' but I would expect the "interface address" rule to apply to that instance of the openvpn interface, rather than "all openvpn interfaces" as it were? I can't see a use case for this behaviour at the moment (I'm probably missing something).

Thanks again

RobEmery

Just as an update; this has fixed it. I assigned interfaces for all the different varieties of OpenVPN (dial-in, clients) and created explicit NAT rules for them, and voila it works. Thanks viragomann