Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Quick NAT/OpenVPN questions.

    Scheduled Pinned Locked Moved NAT
    7 Posts 4 Posters 554 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bakerjw
      last edited by

      Good day, PFSense community. I work with a lot of networking but not to much in the routing realm.

      When I upgraded to the latest version this last weekend, our PFSense box had been up 53 days with no issues whatsoever. With a minimal install, you just set it and forget it. Which is what we've done. I did the upgrade so that we could connect to a dedicated VPN service (NordVPN). Their configuration document was very thorough.

      Last night we ran into an issue accessing VUDU. According to their website, they block VPN IP addresses. Fair enough. So, I have to route some internal traffic around the OpenVPN interface to the regular WAN interface which brings me to some general questions.

      Higher mappings have higher precedence? I believe that they do.

      I know that I can create a reservation for the device that accesses VUDU and then put in a rule for that IP to use the WAN interface.
      Is there a way to put in a range of IP addresses or do I just need to use the /## method?
      For the destination, can you use a domain name? *.vudu.com or similar or do I have to use an IP address range?
      Thanks for any thoughts/guidance.

      30d61095-4d0f-48a0-ab03-d794569b9a1a-image.png

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        You may use aliases. Firewall > Aliases > IP.
        Here you can put in IP ranges or FQDNs.
        After creating an IP aliase, it can be used as source or destination in firewall or NAT rules.

        1 Reply Last reply Reply Quote 1
        • B
          bakerjw
          last edited by

          I've been reading up a bit about outbound NAT and routing.

          This document mentions outbound NAT doesn't control which interface is used.
          Instead it says to use policy routing or static routes.
          https://docs.netgate.com/pfsense/en/latest/nat/outbound-nat.html

          I am trying some static routes now to see if I can force traffic out of the WAN port.

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Use policy routing not static routes.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            B 1 Reply Last reply Reply Quote 1
            • B
              bakerjw @Derelict
              last edited by bakerjw

              @Derelict
              Thanks. Now I am getting somewhere.

              I have a PHP script on my webhost that gives information back about the connection that launched it. I was able to finally get my personal workstation to hit it without the VPN.
              VUDU is still unhappy but I'm getting to know the lay of the land a bt better.

              Thanks for all of the patience.

              ETA...
              With a single Internet IP on the WAN side and a Class C subnet, is NAT even needed if I am using policy routing? That is what it seems to say in the PFSense book. <-- Great resource too BTW.
              Apparently yes. Disabling it blocks everything.

              DerelictD 1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate @bakerjw
                last edited by

                @bakerjw The other side will not have a route back to your private LAN subnet. You need to NAT so the return traffic goes to the your tunnel address which is a connected route on the other side.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 1
                • RicoR
                  Rico LAYER 8 Rebel Alliance
                  last edited by

                  I'd recommend everyone using a VPN Provider with pfSense to watch
                  https://www.netgate.com/resources/videos/openvpn-as-a-wan-on-pfsense.html ☺

                  -Rico

                  1 Reply Last reply Reply Quote 1
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.