OpenVPN between a double-NATed LAN and a routed DMZ subnet.



  • Hi All!
    On one side is a pfSense box (A) with a public static IP. Behind it, two routed DMZ subnets (a /26 block and a /28 block of public statics) and a NAT'ed LAN.
    Example interfaces:
    WAN: 12.00.0.102/30  GW:101
    DMZ1: 12.11.0.145/28
    DMZ2: 12.22.0.129/26
    LAN: 10.33.0.1/24

    On the other end is a pfSense box (B) behind NAT.  The third-world country ISP provides only 192.168.x.x via DHCP to my office.
    WAN: 192.168.100.1/24
    LAN: 192.168.0.1/24

    I need a VPN between my 12.33.0.129/26 DMZ block and the 192.168.0.0/24 LAN behind the double-NAT.
    With what I've done so far, I can:

    • Ping the DMZ2's gateway IP (12.22.0.129 on pfSense A) and the server (12.22.0.130) from a PC at 192.168.0.35 behind pfSense B

    • Ping the gateway (192.168.0.1) of pfSense B and arbitrary IPs in that subnet from the server 12.22.0.130

    • load the pfSense login page on pfSense A from a PC at 192.168.0.35 behind pfSense B

    All of this is only possible after I restart OpenVPN on both sides and reset states.
    However, I can't load a webpage hosted by the server at 12.22.0.130 behind pfSense A on the PC at 192.168.0.35 behind pfSense B.
    I see nothing relevant being blocked by the firewall.  I'm starting to think there's a NAT issue since the DMZ's needed "no NAT" routes to the local LAN.
    Any additional ideas would be appreciated!



  • If the VPN between the to sites is up, the NAT does not matter.
    Maybe you've a kind of routing issue.

    Post your OpenVPN setup from server and client and the IPv4 Routes of both sites.


Log in to reply