Packet Source address is altered when leaving to networks outside the vpn router
-
In this example I have one local network with one Pfsense openvpn server, one local pfsense vlan routing server, one remote client, one local samba server.
OpenVPN server (10.30.41.1) -> remote client (10.100.0.102)
Local router (many ips) -> Local samba (192.168.0.79)In order to have communication between the remote client and local samba server, I have created static routes in both servers pointing to each other. It all works well.
However, I have other local samba servers that are protected by specific pfsense firewall rules (authorization by ip address). If the source ip is not in the authorized Alias list, it wont allow access to that server.
Despite having the remote client IP (10.100.0.102) in the authorized Alias of Local router, the remote client cannot connect to these protected servers. I went to check the states and I figured why:
Local server states:
OpenVPN server states:
It seems that once the packet leaves OpenVPN server, it does not carry the original source IP address, and my firewall rules block it.
I cannot simply open access to all of the 10.30.41.1 connections, because there will be many remote clients who should not connect to these resources.How do I bypass this issue?
thank you
-
So your samba server is connected to the WAN interfaces???
pfSense do source-NAT by default on WAN interface. If you want to use pfSense in a router-only mode you may deactivate Outbound NAT.
-
Yeah that's outbound NAT on WAN. Most people don't have SMB servers out WAN.
You can go into hybrid outbound NAT there and make a DO NOT NAT outbound NAT rule for the OpenVPN source network that contains 10.100.0.102.
The Samba server will have to know to route that network back to pfSense WAN though.
-
you guys were spot on!
much appreciated !