"Move" specific client to an interface?



  • I have 4 interfaces with the rules that I want (lan, wifi, dmz, wan). OpenVPN is sitting on a separate subnet from those 4 in a Remote Access mode. I have one proprietary software on lan that just refuses to send traffic to a different subnet. I can't reconfigure it, I can't request to change it.

    From what I understant, OpenVPN has to sit on its own subnet. But I need a specific client to present itself as part of the lan subnet with the proprietary software.

    Any recommended way to achieve this?


  • Rebel Alliance Developer Netgate

    What is it about being in the same subnet that the special device requires?

    If it only cares about IP traffic, you could fudge that with a 1:1 NAT rule on LAN to map an OpenVPN user (which you'd also have to give a static mapping to), to an address on the LAN. You could even set the 1:1 NAT rule to only fire when the destination is the computer running the proprietary software.

    If it needs broadcast or multicast traffic then you're in more trouble. You'd have to setup an OpenVPN instance as a tap bridge, bridged to LAN. I wouldn't convert your existing server but setup a second one for that. You can use the same certs/auth settings to make it easier, so your client(s) could switch between modes if they wanted. Downside of that is that tap mode isn't supported by Android/iOS so the client would have to be Windows/Mac/Linux.



  • Last time I looked with wireshark, I only noticed a unicast traffic, so I'm going to try a 1:1 NAT thanks!

    My VPN client is linux, so the latter should work as well, in case I missed the broadcasts.

    Solved. Thank you!



  • @jimp:

    What is it about being in the same subnet that the special device requires?

    If it only cares about IP traffic, you could fudge that with a 1:1 NAT rule on LAN to map an OpenVPN user (which you'd also have to give a static mapping to), to an address on the LAN. You could even set the 1:1 NAT rule to only fire when the destination is the computer running the proprietary software.

    If it needs broadcast or multicast traffic then you're in more trouble. You'd have to setup an OpenVPN instance as a tap bridge, bridged to LAN. I wouldn't convert your existing server but setup a second one for that. You can use the same certs/auth settings to make it easier, so your client(s) could switch between modes if they wanted. Downside of that is that tap mode isn't supported by Android/iOS so the client would have to be Windows/Mac/Linux.

    FYI android / tap is available with this: https://play.google.com/store/apps/details?id=it.colucciweb.openvpn&hl=en

    I use it when I use android tap and configurations almost install themselves.

    That being said, your encouragement to try tun for what I was using tap for worked great and was quite easy. The tap openvpn setup is a llttle obscure. I found a link for it. I used this and it worked the first try: https://hardforum.com/threads/pfsense-2-0-1-openvpn-configuration-guide.1663797/



  • @Hexorg:

    I have 4 interfaces with the rules that I want (lan, wifi, dmz, wan). OpenVPN is sitting on a separate subnet from those 4 in a Remote Access mode. I have one proprietary software on lan that just refuses to send traffic to a different subnet. I can't reconfigure it, I can't request to change it.

    From what I understant, OpenVPN has to sit on its own subnet. But I need a specific client to present itself as part of the lan subnet with the proprietary software.

    Any recommended way to achieve this?

    openvpn on its own subnet …

    The world is a big place and everyone is different, but I don't understand the need or desire for this.

    OpenVPN is a tool for secure remote access. By implication, you need to access something. Generally files and / or internet pass through are the goals. To do this well , you need to be on the same subnet or have port forwards thought out. OpenVPN should be as close to the internet as possible, given your needs.

    Otherwise, you need a port forward from the internet to openvpn, and then configure as you see fit and can make work.



  • I've encountered the same problem as the OP - with a Netgear R7000 (10.0.1.127) acting as an AP.  It's using stock Netgear firmware.  It refuses to be managed from any IP address outside the LAN (10.0.1.0/24), making it inaccessible from a remote access OpenVPN connection (172.23.23.6 in this case).

    @jimp:

    If it only cares about IP traffic, you could fudge that with a 1:1 NAT rule on LAN to map an OpenVPN user (which you'd also have to give a static mapping to), to an address on the LAN. You could even set the 1:1 NAT rule to only fire when the destination is the computer running the proprietary software.

    Would you mind expanding on this "fudge" please, jimp (or anyone else)?  I've read the NAT section of the book and tried various configurations but I'm till confused and cannot make this work. I'm still using 2.3.2_P1 on the target pfSense at the moment.


  • Rebel Alliance Developer Netgate

    @biggsy:

    Would you mind expanding on this "fudge" please, jimp (or anyone else)?  I've read the NAT section of the book and tried various configurations but I'm till confused and cannot make this work. I'm still using 2.3.2_P1 on the target pfSense at the moment.

    The goal in that case is to hide the source of the OpenVPN client traffic, making it appear as though it originates on the LAN. That can be done several ways. The simplest way is to change to Hybrid outbound NAT, add a rule with settings like so:

    • Interface: LAN (or whatever your local interface is called)
    • Protocol: any
    • Source: <your openvpn tunnel network>/* Destination: <your cranky ap>/* Translation / Address: Interface Address

    Then any time you try to reach the AP from OpenVPN, it will appear to come from the firewall's IP address in the same subnet.

    For more complicated protocols than HTTP/HTTPS you might want 1:1 NAT so it doesn't need to do port translation, but that also requires adding some VIPs on LAN and is more config/overhead that most things don't need.



  • Many thanks, jimp.  That works perfectly.  ;D


Log in to reply