Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    SOLVED OpenVPN, Routing and NAT rules - Single WAN, Dual LAN

    OpenVPN
    3
    8
    13751
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      laidback_01 last edited by

      Hello!
      I'm working as a remote employee for a smaller clinic.  They have an existing pipe which goes through a regional hospital.  To allow me access, they've given me the option of putting into place a pfSense firewall on a totall separate DSL which is also to be used for their "Guest Network"

      So, I've built pfSense as such:

      WAN is for the new DSL
      LAN goes to their internal hosp network
      OPT1 is guest.

      LAN and OPT1 are isolated from each other enough they can't 'see' each other - Since this is NOT the default router for the LAN, it's pretty easy to restrict anything outbound, and really not have to worry there.  It's also easy enough to lock down OPT1 to only talk to the DSL.  Okay, so far, so good.

      Now, I'd like to setup the OpenVPN - I used the wizard and user-level certs.  I can connect to the WAN at port 1194, that works as epected.  If I ssh to the LAN IP of the pfsense firewall, I can then ssh over to my various machines.  that's great.  However, I cannot directly connect from the laptop here which is connected via the OpenVPN connection.

      So here's my ascii art for the picture!

      Laptop (Connected via OpenVPN)                                                pfSense Firewall        Machine on the Lan side
      [VPNCLIENT]–------------------------------------------------------------->[pfSense]–-[LAN]–--[Linux SSH Server in LAN]

      VPN works however, client cannot 'see' any part of LAN              pfSense can see anything in the LAN

      So, it seems like I'm missing out on a NAT rule.

      I've been working with various attempts at the Firewall/Nat/Outbound rules, but perhaps this isn't the right location?

      If this is an easy one, I'm sorry, I just haven't found the documentation yet it seems.

      1 Reply Last reply Reply Quote 0
      • L
        laidback_01 last edited by

        One of the things I notice… no matter what changes I make to NAT - either 1:1 or Outbound, I cannot see anything but the OpenVPN network 10.0.8.0/24 in the firewall logs.  I'd expect to see something of the NAT translation eventually when it's working - is this correct, or?

        1 Reply Last reply Reply Quote 0
        • V
          viragomann last edited by

          This depends on the role pfSense has in its LAN.

          I assume, the LAN behind pfSense is entered in the "Locale Network/s" box in the OpenVPN server settings, to get the route to this LAN pushed to the client.

          I also assume that pfSense isn't the default gateway for the LAN machines.
          If it isn't you should do NAT at LAN interface. To do so you have to add an outbound NAT rule:
          Firewall > NAT > Outbound
          It will be set to automatic rule generation which is the default. Mark "Hybrid rule generation" and hit save. Then add this rule:
          interface = LAN
          Protocol = any
          Source = <the vpn="" tunnel="" network="">Destination = any
          Translation = Interface address</the>

          1 Reply Last reply Reply Quote 0
          • S
            Soyokaze last edited by

            However, I cannot directly connect from the laptop here which is connected via the OpenVPN connection.

            Because if you send a packet from laptop to machine in clinic - it goes all the way to that machine, it receive it and… sends reply. but because it doesn't know where to send it, it just throw it to its default gateway, which, of course, don't know where is your laptop either.
            So you have two options:

            1. raw and dump, should have admin privileges on destination machine - add route for %your vpn client assigned network% %ip of LAN interface of pfsense%.
            2. add nat to your OUTCOMING from VPN traffic. So it would be: interface LAN, source %vpn client network%.

            Need full pfSense in a cloud? PM for details!

            1 Reply Last reply Reply Quote 0
            • L
              laidback_01 last edited by

              Okay, I've put in an Outbound Mapping
              Interface: LAN
              Source: 10.0.8.0/24
              SourcePort *
              Destination *
              NAT Address: LAN address
              NAT Port: *
              Static Port:  default crossed lines

              and I have two machines there.
              On one of them I put in the route from the LAN net to the VPN net, and I can shell From the lan machine to my VPNed laptop.  So, Out from LAN -> pfSense -> VPN -> VPN Client  works
              that's cool, but not quite the direction I want.

              The route does what's expected, since, ,iike you say, the default GW is unaware of pfSense and it's VPN network.

              –-  Now that I have that NAT rule in places (I actually had one setup similar, only had the dest network as the lan network), I should be seeing the NATted IP in the firewall logs, correct?  If so, that's not occuring, I'm still seeing the VPN client IP when attempting to SSH.  Does this make sense?

              thanks!

              1 Reply Last reply Reply Quote 0
              • L
                laidback_01 last edited by

                is there a way to turn on logging for when it translates the source IP - see the NAT process?  Or at least see if that rule is being triggered?

                1 Reply Last reply Reply Quote 0
                • L
                  laidback_01 last edited by

                  I had to remove a couple conflicting rules, and the single Outbound NAT worked!

                  thanks much, all is well now ;)  it's fully up and operational.

                  1 Reply Last reply Reply Quote 0
                  • V
                    viragomann last edited by

                    In the firewall logs you only you the origin source IP, that's the VPN clients IP.
                    You can do a packet capture (in Diagnostic menu) on LAN interface. There you will see the translated address.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post