Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    1:1 NAT with dynamic OpenVPN External subnet IP

    General pfSense Questions
    2
    10
    233
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      piperfect last edited by

      I have an OpenVPN client on pfSense. I how do I keep a 1:1 NAT with a dynamic OpenVPN External subnet IP?

      For example lets say I have a VPN service for remote network testing purposes and I want to use the VPN service on one node of my network. My current setup requires me to change the External subnet IP on the 1:1 NAT web gui every time the IP changes of the service. How do I fix this?

      1 Reply Last reply Reply Quote 0
      • Derelict
        Derelict LAYER 8 Netgate last edited by

        Sounds like you're going about it all wrong. 1:1 NAT (along with outbound NAT) make zero decisions about what traffic flows where. They only determine what NAT happens when matching traffic flows in or out (or just out in the case of outbound NAT) an interface.

        Search for the countless (and I mean countless) threads about policy routing out a VPN provider with Outbound NAT.

        You don't use 1:1 NAT. You use policy routing and outbound NAT on the assigned interface to the interface address. In your case you would limit the policy routing to a single test node's address.

        P 1 Reply Last reply Reply Quote 1
        • P
          piperfect @Derelict last edited by

          @derelict
          How would I map one internal IP to one OpenVPN External subnet IP?

          I have the outbound in place and the firewall rules set for the internal interface to hit the OpenVPN interface, but how do I make it so that everything hitting the OpenVPN External subnet IP hits the specified internal IP?

          1 Reply Last reply Reply Quote 0
          • Derelict
            Derelict LAYER 8 Netgate last edited by

            How many OpenVPN IP addresses do you have?

            1 Reply Last reply Reply Quote 0
            • P
              piperfect last edited by

              One

              1 Reply Last reply Reply Quote 0
              • Derelict
                Derelict LAYER 8 Netgate last edited by

                And that is configured to accept inbound connections on any port? Note the difference between inbound connections and reply traffic for outbound connections.

                1 Reply Last reply Reply Quote 0
                • P
                  piperfect last edited by

                  Yes *

                  1 Reply Last reply Reply Quote 0
                  • Derelict
                    Derelict LAYER 8 Netgate last edited by Derelict

                    As far as I know you cannot 1:1 NAT on a dynamic address.

                    You might be able to get what you need by port forwarding entire swaths of ports on the interface address instead.

                    0_1534917887524_Screen Shot 2018-08-21 at 11.04.09 PM.png

                    I have not tested that. Not exactly sure if there are any adverse effects or gotchas.

                    1 Reply Last reply Reply Quote 0
                    • P
                      piperfect last edited by

                      I will try it again. I am fairly sure that is what I did at first without luck.

                      1 Reply Last reply Reply Quote 0
                      • P
                        piperfect last edited by

                        That works! I had tried it that way previously, a few years ago, without luck.
                        It now seems to work.
                        Thank you!

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post

                        Products

                        • Platform Overview
                        • TNSR
                        • pfSense Plus
                        • Appliances

                        Services

                        • Training
                        • Professional Services

                        Support

                        • Subscription Plans
                        • Contact Support
                        • Product Lifecycle
                        • Documentation

                        News

                        • Media Coverage
                        • Press
                        • Events

                        Resources

                        • Blog
                        • FAQ
                        • Find a Partner
                        • Resource Library
                        • Security Information

                        Company

                        • About Us
                        • Careers
                        • Partners
                        • Contact Us
                        • Legal
                        Our Mission

                        We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                        Subscribe to our Newsletter

                        Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                        © 2021 Rubicon Communications, LLC | Privacy Policy