Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT, every other connect works

    Scheduled Pinned Locked Moved NAT
    3 Posts 1 Posters 388 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      butterchicken
      last edited by

      Hi,

      I have the following setup

      private network -> pfsense -> WAN
                                 -> openvpn -> remote_site
      

      I setup openvpn and it's working from pfsense. Then I added the NAT rules for ipv4 traffic of the remote_site subnet. It works .... sometimes.

      What's strange is that the connections to remote_site work exactly every other time:

      $ ssh remote_site_machine_1  # first try fails. I see on tcpdump repeated singled connection packets go out but nothing coming back
      $ ssh remote_site_machine_1 # immediate second try works without a problem. I see the same packets on tcpdump but this time there are replies
      $ ssh remote_site_machine_1 # again not working
      ...
      

      on pfsense, the connection works every time.

      NAT is set to "Hybrid Outbound NAT rule generation". The NAT rules for remote_site are nothing fancy.

      do_not_nat=unchecked
      interface=openvpn
      addr_family=ipv4 (it's ipv4 at the remote site)
      proto, source, dest are ok
      address=interface_address

      Any ideas?

      B 1 Reply Last reply Reply Quote 0
      • B
        butterchicken @butterchicken
        last edited by

        There is either a configuration quirk or a bug.

        The source of the problem is that pfsense runs both an openvpn server (dev ovpns1) and an openvpn client (dev ovpnc2).

        NAT allows to specify rules for "OpenVPN" but does not distinguish whether it's for ovpns1 or ovpnc2. It alternates between them. Obviously ovpns1 cannot translate the traffic, but the packets get still NATed as 10.0.8.X before trying ovpnc2. I can confirm this with tcpdump traffic:

        1st connect (that's working):

        18:28:36.698359 IP ovpns2-ip.21758 > remove_ip.ssh
        ...

        2nd connect (that's not working):
        18:28:38.482341 IP 10.0.8.1.32282 > remove_ip.ssh

        Since the remote network doesn't know how to handle 10.0.8.0/24, there is never a reply to the packets.

        So, how can I tell NAT to only use ovpns2 and never use ovpns1 during NAT?

        Specifically, pfctl -s nat reports:

        nat on openvpn inet from 192.168.1.0/24 to <remote-sub>/16 -> (openvpn) port 1024:65535 round-robin
        

        : pfctl -s Interfaces

        ...
        openvpn
        ovpnc2
        ovpns1
        ...
        

        I would like the NAT rule to use ovpnc2 exclusively and not OpenVPN.

        1 Reply Last reply Reply Quote 0
        • B
          butterchicken
          last edited by

          So here's the resolution. Writing things down for my previous posts helped me to debug it.

          The answer was: create a new interface for the openvpn client use and then update the NAT rules to use that new interface.

          So to setup a vpn for your subnet behind pfsense, you need to do these three things:

          1. setup openvpn client
          2. create a new interface for the openvpn client dev
          3. create NAT rules for the new interface

          Point 2 is not necessary if you have exactly one openvpn something (=client or server) on pfsense. But it would be good practice to always create a new interface, as it avoids errors later on.

          1 Reply Last reply Reply Quote 1
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.