Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Enabling OpenVPN Server Results in every-other connection failing

    NAT
    2
    4
    921
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      RobEmery last edited by

      Hello,

      I have a strange problem. I have my pfSense (2.3.1_1) box configured as an OpenVPN Client and```
      redirect-gateway def1

      
      

      Interface OpenVPN
      protocol any
      source network 172.30.0./24 (my LAN)
      destination any
      Translation address: interface address.

      
      This works as expected, the other side of the VPN receives traffic NAT'd with the client IP of the OpenVPN client tunnel.
      
      I also want to allow myself to Dial-IN VPN to my network; I have configured OpenVPN server etc.
      
      When I enable the OpenVPN Server in the pfSense GUI, every-other outbound connection fails from machines on the LAN. I have run a traffic capture on the firewall on the OpenVPN client interface and I see that each new outbound connection's source IP address is alternating between the correct IP and the IP address of the Dial-In Open VPN Tunnel network.
      
      

      18:33:34.459329 IP 172.30.1.66 > 8.8.4.4: ICMP echo request, id 14954, seq 1, length 64
      18:33:34.486450 IP 8.8.4.4 > 172.30.1.66: ICMP echo reply, id 14954, seq 1, length 64

      • I Press ctrl+C on the ping and re-run the ping command
        18:33:35.498971 IP 192.168.48.1 > 8.8.4.4: ICMP echo request, id 43822, seq 1, length 64
        18:33:37.787437 IP 192.168.48.1 > 8.8.4.4: ICMP echo request, id 33652, seq 1, length 64
      • I Press ctrl+C on the ping and re-run the ping command
        18:33:39.306957 IP 172.30.1.66 > 8.8.4.4: ICMP echo request, id 25940, seq 1, length 64
        18:33:39.333662 IP 8.8.4.4 > 172.30.1.66: ICMP echo reply, id 25940, seq 1, length 64
      
      I am very confused as to why enabling the server affects my outbound NAT at all? Unless I've completely misinterpreted the behavior?
      
      Help!
      Thanks,
      Rob
      1 Reply Last reply Reply Quote 0
      • V
        viragomann last edited by

        @RobEmery:

        I have the NAT in hybrid mode with one additional rule to the automatics which is :

        
        Interface OpenVPN
        protocol any
        source network 172.30.0./24 (my LAN)
        destination any
        Translation address: interface address. 
        
        

        This works as expected, the other side of the VPN receives traffic NAT'd with the client IP of the OpenVPN client tunnel.

        When I enable the OpenVPN Server in the pfSense GUI, every-other outbound connection fails from machines on the LAN. I have run a traffic capture on the firewall on the OpenVPN client interface and I see that each new outbound connection's source IP address is alternating between the correct IP and the IP address of the Dial-In Open VPN Tunnel network.

        If you're running an openvpn client and server together you have 2 virtual openvpn interfaces which are handled as an interface group by pfSense. So the outbound NAT rule you've configured above alternates the interface addresses in a round robin manner.

        To solve, you've to assigns an interface to each, client and server (Interfaces > assign). Then use the clients interface in the outbound NAT rule.

        1 Reply Last reply Reply Quote 0
        • R
          RobEmery last edited by

          Hello,

          @viragomann:

          To solve, you've to assigns an interface to each, client and server (Interfaces > assign). Then use the clients interface in the outbound NAT rule.

          Thanks, I'll try that in a minute!

          I had a feeling it might be something similiar to this; it seems strange to me that it would NAT onto the wrong interface? I appreciate that there are 2 'rules' but I would expect the "interface address" rule to apply to that instance of the openvpn interface, rather than "all openvpn interfaces" as it were? I can't see a use case for this behaviour at the moment (I'm probably missing something).

          Thanks again

          1 Reply Last reply Reply Quote 0
          • R
            RobEmery last edited by

            Just as an update; this has fixed it. I assigned interfaces for all the different varieties of OpenVPN (dial-in, clients) and created explicit NAT rules for them, and voila it works. Thanks viragomann

            1 Reply Last reply Reply Quote 0
            • First post
              Last post