Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] VPN routing

    Scheduled Pinned Locked Moved Routing and Multi WAN
    14 Posts 4 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      maverick_slo
      last edited by maverick_slo

      Hi all!

      I`m gonna post this here and not in OpenVPN as it feels more like routing issue.

      So here is the thing.
      We have Cisco firewall and behind this firewall is my pfSense with Openvpn.

      It has 1 nic and it`s connected to Cisco.
      I configured my OpenVPN and basically everything works just fine.

      But VPN clients are seen on network as WAN NIC IP of my pfsense.
      So web server sees connect from pfsense wan but I would like to actually see the real client IP. I disabled Outgoing NAT but when I do this, client cant browse at all.
      BUT it CAN ping server and server CAN ping client. HTTP it doesn`t work for example.

      Any ideas?

      Thanks!

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        I presume it is an OpenVPN access server.

        If the devices you want to access from a vpn client are in the pfSense WAN network, the only way to solve is to add a static route for the vpn tunnel network to each unique device pointing to pfSense.

        Better solution would be to connect the pfSense WAN interface to a separate network interface of the Cisco with a separate network segment.
        So you would only have to add a static route for the vpn tunnel network on the Cisco firewall pointing to pfSense and on pfSense you have to add static route(s) for your internal network(s) pointing to the Cisco.

        1 Reply Last reply Reply Quote 0
        • M
          maryjohnston
          last edited by

          Is there anyone vpn provider for online gaming ? Because i want to play some high games on my android mobile phone ?

          1 Reply Last reply Reply Quote 0
          • M
            maverick_slo
            last edited by

            Yeah OpenVPN classic access (roadwarrior setup) server.
            WAN is plugged into Cisco firewall network.
            On core switches and Cisco firewall there are routes to my VPN subnet pointing to pfsense WAN IP (which is IP from network attached to Cisco).
            On pfsense I have not configured any static routes, I juts added subnets to OpenVPN server config.
            Funny thing is if I disable outbound NAT ping and tracert work but http not, and with outbound NAT everything works but server on vlan on core switch sees traffic from pfsense WAN instead of actual client.

            1 Reply Last reply Reply Quote 0
            • V
              viragomann
              last edited by

              @maverick_slo said in VPN routing:

              Funny thing is if I disable outbound NAT ping and tracert work but http not

              As I mentioned above, that's the problem when the vpn endpoint is in the same network segment as the destination device, but the vpn endpoint is not the default gateway.

              TCP which http is based on is a stateful protocol, ICMP (ping) is stateless.
              When you try to access a device from vpn client, the request packets go from pfSense directly to the device, while response packets are sent to the default gateway (Cisco FW, presumably) where they should be directed to pfSense. However, your default gateway has no state for it since it didn't get the request packet and will drop it.
              For a stateless protocol that doesn't matter.

              When using outbound NAT, request packets have the source IP of pfSense, so responses are directed back to pfSense directly.

              So as already suggested, put the pfSense in a separate network segment and set up a correct routing. This can also be done by VLAN.

              1 Reply Last reply Reply Quote 0
              • M
                maverick_slo
                last edited by

                hmm.
                pfsense IS on separate network on ASA.
                routing works actually everything works but little thing I mentioned.

                on server on different VLAN all requests are coming from pfsense WAN.
                So how do I make them come from openvpn client instead.

                1 Reply Last reply Reply Quote 0
                • V
                  viragomann
                  last edited by

                  Turn off the outbound NAT on pfSense.

                  Consider that for routing vpn responses back you need a static route for the vpn tunnel network on your ASA?

                  1 Reply Last reply Reply Quote 0
                  • M
                    maverick_slo
                    last edited by

                    Well if I turn off outbound NAT things stop to work.

                    I have route on asa to route my tunnel network to pfsense WAN IP.

                    1 Reply Last reply Reply Quote 0
                    • V
                      viragomann
                      last edited by

                      If that's the case, the route won't work.

                      Try a traceroute from the device you tried to access.

                      1 Reply Last reply Reply Quote 0
                      • M
                        maverick_slo
                        last edited by

                        Tracert is OK.
                        Tried both ways both ways OK.

                        1 Reply Last reply Reply Quote 0
                        • V
                          viragomann
                          last edited by

                          If the routes are OK there is no need for the outbound NAT.

                          Sorry, no more ideas as long as I don't get more infos like tunnel network, network map, detailed routes, packets capture of an access attempt from a vpn client.

                          1 Reply Last reply Reply Quote 0
                          • M
                            maverick_slo
                            last edited by

                            Thanks, will check tomorrow with our fw guys as I don't see errors in my config...

                            1 Reply Last reply Reply Quote 0
                            • M
                              maverick_slo
                              last edited by

                              Closure:
                              I had it configured correctly.
                              So correct FW rules and outbound nat (SNAT) disabled.
                              Problem was on cisco router where network guys forgot to allow my traffic (even when they say they did, well doublecheck) :)

                              1 Reply Last reply Reply Quote 0
                              • N
                                netdomon2
                                last edited by

                                i have same problem thank

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.