Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Packet Source address is altered when leaving to networks outside the vpn router

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 3 Posters 899 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      spyshagg
      last edited by

      In this example I have one  local network with one Pfsense openvpn server, one local pfsense vlan routing server, one remote client, one local samba server.

      OpenVPN server (10.30.41.1)  -> remote client (10.100.0.102)
      Local router (many ips) -> Local samba (192.168.0.79)

      In order to have communication between the remote client and local samba server, I have created static routes in both servers pointing to each other.  It all works well.

      However, I have other local samba servers that are protected by specific pfsense firewall rules (authorization by ip address). If the source ip is not in the authorized Alias list, it wont allow access to that server.

      Despite having the remote client IP (10.100.0.102) in the authorized Alias of Local router, the remote client cannot connect to these protected servers. I went to check the states and I figured why:

      Local server states:

      OpenVPN server states:

      It seems that once the packet leaves OpenVPN server, it does not carry the original source IP address, and my firewall rules block it.
      I cannot simply open access to all of the 10.30.41.1  connections, because there will be many remote  clients who should not connect to these resources.

      How do I bypass this issue?

      thank you

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        So your samba server is connected to the WAN interfaces???

        pfSense do source-NAT by default on WAN interface. If you want to use pfSense in a router-only mode you may deactivate Outbound NAT.

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          Yeah that's outbound NAT on WAN. Most people don't have SMB servers out WAN.

          You can go into hybrid outbound NAT there and make a DO NOT NAT outbound NAT rule for the OpenVPN source network that contains 10.100.0.102.

          The Samba server will have to know to route that network back to pfSense WAN though.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • S
            spyshagg
            last edited by

            you guys were spot on!

            much appreciated !

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.