1:1 NAT with dynamic OpenVPN External subnet IP
-
I have an OpenVPN client on pfSense. I how do I keep a 1:1 NAT with a dynamic OpenVPN External subnet IP?
For example lets say I have a VPN service for remote network testing purposes and I want to use the VPN service on one node of my network. My current setup requires me to change the External subnet IP on the 1:1 NAT web gui every time the IP changes of the service. How do I fix this?
-
Sounds like you're going about it all wrong. 1:1 NAT (along with outbound NAT) make zero decisions about what traffic flows where. They only determine what NAT happens when matching traffic flows in or out (or just out in the case of outbound NAT) an interface.
Search for the countless (and I mean countless) threads about policy routing out a VPN provider with Outbound NAT.
You don't use 1:1 NAT. You use policy routing and outbound NAT on the assigned interface to the interface address. In your case you would limit the policy routing to a single test node's address.
-
@derelict
How would I map one internal IP to one OpenVPN External subnet IP?I have the outbound in place and the firewall rules set for the internal interface to hit the OpenVPN interface, but how do I make it so that everything hitting the OpenVPN External subnet IP hits the specified internal IP?
-
How many OpenVPN IP addresses do you have?
-
One
-
And that is configured to accept inbound connections on any port? Note the difference between inbound connections and reply traffic for outbound connections.
-
Yes *
-
As far as I know you cannot 1:1 NAT on a dynamic address.
You might be able to get what you need by port forwarding entire swaths of ports on the interface address instead.
I have not tested that. Not exactly sure if there are any adverse effects or gotchas.
-
I will try it again. I am fairly sure that is what I did at first without luck.
-
That works! I had tried it that way previously, a few years ago, without luck.
It now seems to work.
Thank you!