Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    1:1 NAT with dynamic OpenVPN External subnet IP

    Scheduled Pinned Locked Moved General pfSense Questions
    10 Posts 2 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      piperfect
      last edited by

      I have an OpenVPN client on pfSense. I how do I keep a 1:1 NAT with a dynamic OpenVPN External subnet IP?

      For example lets say I have a VPN service for remote network testing purposes and I want to use the VPN service on one node of my network. My current setup requires me to change the External subnet IP on the 1:1 NAT web gui every time the IP changes of the service. How do I fix this?

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Sounds like you're going about it all wrong. 1:1 NAT (along with outbound NAT) make zero decisions about what traffic flows where. They only determine what NAT happens when matching traffic flows in or out (or just out in the case of outbound NAT) an interface.

        Search for the countless (and I mean countless) threads about policy routing out a VPN provider with Outbound NAT.

        You don't use 1:1 NAT. You use policy routing and outbound NAT on the assigned interface to the interface address. In your case you would limit the policy routing to a single test node's address.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        P 1 Reply Last reply Reply Quote 1
        • P
          piperfect @Derelict
          last edited by

          @derelict
          How would I map one internal IP to one OpenVPN External subnet IP?

          I have the outbound in place and the firewall rules set for the internal interface to hit the OpenVPN interface, but how do I make it so that everything hitting the OpenVPN External subnet IP hits the specified internal IP?

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            How many OpenVPN IP addresses do you have?

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • P
              piperfect
              last edited by

              One

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                And that is configured to accept inbound connections on any port? Note the difference between inbound connections and reply traffic for outbound connections.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • P
                  piperfect
                  last edited by

                  Yes *

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by Derelict

                    As far as I know you cannot 1:1 NAT on a dynamic address.

                    You might be able to get what you need by port forwarding entire swaths of ports on the interface address instead.

                    0_1534917887524_Screen Shot 2018-08-21 at 11.04.09 PM.png

                    I have not tested that. Not exactly sure if there are any adverse effects or gotchas.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • P
                      piperfect
                      last edited by

                      I will try it again. I am fairly sure that is what I did at first without luck.

                      1 Reply Last reply Reply Quote 0
                      • P
                        piperfect
                        last edited by

                        That works! I had tried it that way previously, a few years ago, without luck.
                        It now seems to work.
                        Thank you!

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.