Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT to VPN Local Address

    Scheduled Pinned Locked Moved NAT
    11 Posts 2 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rgomez
      last edited by

      Hi Guys,

      I'm trying to setup NAT to an Address reachable through OpenVPN.

      Site A is the VPN server and has Public IP 1.1.1.1, network 192.168.5.0/24 and Site B is VPN Client and public IP 2.2.2.2, network 192.168.10.0/24.

      Goal is to have NAT Rule at Site A to 192.168.10.33 in site B.

      Everything in the VPN enviroment works. Both Sites can communicate with each other and I've already done the Outbound NAT on site B related with that IP so the 192.168.10.33 reachs the Internet through Site A.

      On Site A I've created a simple rule, NAT port 80 from WAN Address to 192.168.10.33.

      I've tried creating outbound NAT on Site B also but I guess it was not correct.

      What am I missing?

      Thanks in advance

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        @rgomez:

        Both Sites can communicate with each other and I've already done the Outbound NAT on site B related with that IP so the 192.168.10.33 reachs the Internet through Site B.

        192.168.10.33 is on site B. Which Outbound rules?

        Will you route all upstream traffic from 192.168.10.33 over the vpn to access the internet over site A?

        1 Reply Last reply Reply Quote 0
        • R
          rgomez
          last edited by

          Yes that was a mistake, the Site B 192.168.10.33 is routed to the Internet on site A over VPN.

          Outbound rules are created on Site B to allow such communication from Alias containing 192.168.10.33, and it works as expected 192.168.10.33 has public IP from WAN on Site A and other 192.168.0.x has Internet from site B.

          Site A has only the PortForward NAT rule and respective Firewall rule also.

          1 Reply Last reply Reply Quote 0
          • V
            viragomann
            last edited by

            Have you set up a site-to-site OpenVPN server and have you assigned an interface to both the server and the client?

            1 Reply Last reply Reply Quote 0
            • R
              rgomez
              last edited by

              Yes that is done correctly (I guess) because the Host on site B is reaching Internet through Site A.

              1 Reply Last reply Reply Quote 0
              • V
                viragomann
                last edited by

                You should know this, cause this could solve your issue.

                Anyway, you can also get it to work if you add an outbound NAT rule to site A's OpenVPN interface translating source addresses to the interface address.
                But with this rule, the source IPs are masqueraded and the destination host cannot see the real source address.

                Also you've to ensure that upstream packets from 192.168.10.33 are translated to the WAN address on site A. So will also have to add an additional rule for WAN if it's not done automatically by pfSense.
                The outbound NAT rule for openVPN you've added to site B is unnecessary.

                1 Reply Last reply Reply Quote 0
                • R
                  rgomez
                  last edited by

                  @viragomann:

                  You should know this, cause this could solve your issue.

                  Anyway, you can also get it to work if you add an outbound NAT rule to site A's OpenVPN interface translating source addresses to the interface address.
                  But with this rule, the source IPs are masqueraded and the destination host cannot see the real source address.

                  Also you've to ensure that upstream packets from 192.168.10.33 are translated to the WAN address on site A. So will also have to add an additional rule for WAN if it's not done automatically by pfSense.
                  The outbound NAT rule for openVPN you've added to site B is unnecessary.

                  Are you sure? Without NAT rule for OpenVPN how can I route upstream traffic from that host to Site's A WAN? If I disable it I start going to Site's B WAN instead of A.

                  1 Reply Last reply Reply Quote 0
                  • V
                    viragomann
                    last edited by

                    I asked above which Outbound NAT rule you exactly have.
                    I do not know any outbound NAT rule (source-NAT), which can direct traffic to another gateway. You may have a firewall rule with GW set in place (policy routing) to direct traffic from 192.168.10.33 over VPN.

                    1 Reply Last reply Reply Quote 0
                    • R
                      rgomez
                      last edited by

                      @viragomann:

                      I asked above which Outbound NAT rule you exactly have.
                      I do not know any outbound NAT rule (source-NAT), which can direct traffic to another gateway. You may have a firewall rule with GW set in place (policy routing) to direct traffic from 192.168.10.33 over VPN.

                      Yes you are correct and I'm sorry. I have a firewall rule on Site's B LAN Interface with the OPT1 GW selected. I'm so confused after trying everything I can think of.

                      I've ran a few Packet Captures and could find the request is reaching the 192.168.10.33 through OPT1, problem is that the response is done through WAN interface of Site's B and not Site's A WAN. But if I get to the VM and do a traceroute and also a Public IP check I get the WAN Address at Site A.

                      1 Reply Last reply Reply Quote 0
                      • V
                        viragomann
                        last edited by

                        I see. But the policy routing by the filter rule handles only upstream traffic. That means connections which are established by 192.168.10.33, not responses to requests from other host. As I know, request flows are controlled by the reply-to statements which depends on the interface settings. That's why I've asked if you've assigned interfaces to the VPN client and server.

                        As a workaround I suggested to add an outbound NAT rule to site A's OpenVPN servers interface. This would translate packets source addresses to the OpenVPN servers address when they are sent over the vpn. So responses from 192.168.10.33 would be addressed back to the vpn server and would be directed to the pfSense on site B (default gateway). There the packets would be forwarded over the vpn to site A.
                        In your case, the packets which are forwarded to 192.168.10.33 have public source addresses, so responses are sent out to the default gateway (WAN GW).

                        1 Reply Last reply Reply Quote 0
                        • R
                          rgomez
                          last edited by

                          That solves the issue.

                          But is there any way to this with a more proper setup?

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.