Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN behind main PfSense main GW/FW

    Scheduled Pinned Locked Moved NAT
    3 Posts 3 Posters 502 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      vince_gw
      last edited by vince_gw

      Hi,

      I have to set up a VPN, which is a pfSense with OpenVPN listening on a non standard UDP port (9194).
      Here is the architecture :

      0_1547721067905_General_PB.png

      This pfSense is behind the main gateway (also on pfSense) which forwards trafic (UDP port 9194) to the VPN but only from my ISP#1 (WAN_1_FIBRE).

      0_1547720884769_NAT.png
      Note : NAT reflection for this rule is set to system defaults

      However I can't connect to the VPN server.
      Actually the OpenVPN gets the datagram (so port forwarding is OK), and replies to it, but the datagram is 'lost' in the main gateway.

      So, the VPN flow looks like :

      0_1547721366595_OpenVPN_flow.png
      Note : When I do packet capture the datagram response is captured on IP_PrivA interface, but there is no corresponding flow in IP_PubA1 interface

      But something else bothers me.
      If I initiate a netcat flow from OpenVPN to IP_pubC, the datagram passes through the main gateway :

      0_1547721474970_Natcat_flow.png
      Note : When I do packet capture the datagram is captured on IP_PrivA interface, and corresponding flow is also present in IP_PubA1 interface

      I feel the problem is related to the NAT on the main gateway, but I'm not sure because of the successful netcat flow.

      The settings on the main GW are :

      • In System / Advanced / Firewall & NAT :
        0_1547722698346_FW2.png
        0_1547722599603_NAT2.png
      • In Firewall / Rules / PrivA_Interface :
        0_1547723088322_FW.png
        Note : problem is the same if I force ISP_#1 GW rather than the WAN_GWS group.
      • In Firewall / NAT / Outbound : Automatic mode

      Help would be appreciated, insanity is not far from me.

      1 Reply Last reply Reply Quote 0
      • A
        Artichost
        last edited by Artichost

        I have a problem like this to,
        A Openvpn between 2 Pfsense, I can ping both directions, But when i do a nat from wan to tunnel the traffic dont reach the destination.,
        NAT
        Wan-->endpoint A local machine on the other end of tunnel, pingeble,
        If a do a openport test it connects to endpoint and shows open port, But from the outside its not working.

        1 Reply Last reply Reply Quote 0
        • V
          viragomann
          last edited by

          Are the VPN endpoints the default gateways in their LANs?

          Have you assigned an interface to the OpenVPN instance on both sites?

          1 Reply Last reply Reply Quote 1
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.