SOLVED OpenVPN, Routing and NAT rules - Single WAN, Dual LAN

  • Hello!
    I'm working as a remote employee for a smaller clinic.  They have an existing pipe which goes through a regional hospital.  To allow me access, they've given me the option of putting into place a pfSense firewall on a totall separate DSL which is also to be used for their "Guest Network"

    So, I've built pfSense as such:

    WAN is for the new DSL
    LAN goes to their internal hosp network
    OPT1 is guest.

    LAN and OPT1 are isolated from each other enough they can't 'see' each other - Since this is NOT the default router for the LAN, it's pretty easy to restrict anything outbound, and really not have to worry there.  It's also easy enough to lock down OPT1 to only talk to the DSL.  Okay, so far, so good.

    Now, I'd like to setup the OpenVPN - I used the wizard and user-level certs.  I can connect to the WAN at port 1194, that works as epected.  If I ssh to the LAN IP of the pfsense firewall, I can then ssh over to my various machines.  that's great.  However, I cannot directly connect from the laptop here which is connected via the OpenVPN connection.

    So here's my ascii art for the picture!

    Laptop (Connected via OpenVPN)                                                pfSense Firewall        Machine on the Lan side
    [VPNCLIENT]–------------------------------------------------------------->[pfSense]–-[LAN]–--[Linux SSH Server in LAN]

    VPN works however, client cannot 'see' any part of LAN              pfSense can see anything in the LAN

    So, it seems like I'm missing out on a NAT rule.

    I've been working with various attempts at the Firewall/Nat/Outbound rules, but perhaps this isn't the right location?

    If this is an easy one, I'm sorry, I just haven't found the documentation yet it seems.

  • One of the things I notice… no matter what changes I make to NAT - either 1:1 or Outbound, I cannot see anything but the OpenVPN network in the firewall logs.  I'd expect to see something of the NAT translation eventually when it's working - is this correct, or?

  • This depends on the role pfSense has in its LAN.

    I assume, the LAN behind pfSense is entered in the "Locale Network/s" box in the OpenVPN server settings, to get the route to this LAN pushed to the client.

    I also assume that pfSense isn't the default gateway for the LAN machines.
    If it isn't you should do NAT at LAN interface. To do so you have to add an outbound NAT rule:
    Firewall > NAT > Outbound
    It will be set to automatic rule generation which is the default. Mark "Hybrid rule generation" and hit save. Then add this rule:
    interface = LAN
    Protocol = any
    Source = <the vpn="" tunnel="" network="">Destination = any
    Translation = Interface address</the>

  • However, I cannot directly connect from the laptop here which is connected via the OpenVPN connection.

    Because if you send a packet from laptop to machine in clinic - it goes all the way to that machine, it receive it and… sends reply. but because it doesn't know where to send it, it just throw it to its default gateway, which, of course, don't know where is your laptop either.
    So you have two options:

    1. raw and dump, should have admin privileges on destination machine - add route for %your vpn client assigned network% %ip of LAN interface of pfsense%.
    2. add nat to your OUTCOMING from VPN traffic. So it would be: interface LAN, source %vpn client network%.

  • Okay, I've put in an Outbound Mapping
    Interface: LAN
    SourcePort *
    Destination *
    NAT Address: LAN address
    NAT Port: *
    Static Port:  default crossed lines

    and I have two machines there.
    On one of them I put in the route from the LAN net to the VPN net, and I can shell From the lan machine to my VPNed laptop.  So, Out from LAN -> pfSense -> VPN -> VPN Client  works
    that's cool, but not quite the direction I want.

    The route does what's expected, since, ,iike you say, the default GW is unaware of pfSense and it's VPN network.

    –-  Now that I have that NAT rule in places (I actually had one setup similar, only had the dest network as the lan network), I should be seeing the NATted IP in the firewall logs, correct?  If so, that's not occuring, I'm still seeing the VPN client IP when attempting to SSH.  Does this make sense?


  • is there a way to turn on logging for when it translates the source IP - see the NAT process?  Or at least see if that rule is being triggered?

  • I had to remove a couple conflicting rules, and the single Outbound NAT worked!

    thanks much, all is well now ;)  it's fully up and operational.

  • In the firewall logs you only you the origin source IP, that's the VPN clients IP.
    You can do a packet capture (in Diagnostic menu) on LAN interface. There you will see the translated address.

Log in to reply