NAT, every other connect works

  • Hi,

    I have the following setup

    private network -> pfsense -> WAN
                               -> openvpn -> remote_site

    I setup openvpn and it's working from pfsense. Then I added the NAT rules for ipv4 traffic of the remote_site subnet. It works .... sometimes.

    What's strange is that the connections to remote_site work exactly every other time:

    $ ssh remote_site_machine_1  # first try fails. I see on tcpdump repeated singled connection packets go out but nothing coming back
    $ ssh remote_site_machine_1 # immediate second try works without a problem. I see the same packets on tcpdump but this time there are replies
    $ ssh remote_site_machine_1 # again not working

    on pfsense, the connection works every time.

    NAT is set to "Hybrid Outbound NAT rule generation". The NAT rules for remote_site are nothing fancy.

    addr_family=ipv4 (it's ipv4 at the remote site)
    proto, source, dest are ok

    Any ideas?

  • There is either a configuration quirk or a bug.

    The source of the problem is that pfsense runs both an openvpn server (dev ovpns1) and an openvpn client (dev ovpnc2).

    NAT allows to specify rules for "OpenVPN" but does not distinguish whether it's for ovpns1 or ovpnc2. It alternates between them. Obviously ovpns1 cannot translate the traffic, but the packets get still NATed as 10.0.8.X before trying ovpnc2. I can confirm this with tcpdump traffic:

    1st connect (that's working):

    18:28:36.698359 IP ovpns2-ip.21758 > remove_ip.ssh

    2nd connect (that's not working):
    18:28:38.482341 IP > remove_ip.ssh

    Since the remote network doesn't know how to handle, there is never a reply to the packets.

    So, how can I tell NAT to only use ovpns2 and never use ovpns1 during NAT?

    Specifically, pfctl -s nat reports:

    nat on openvpn inet from to <remote-sub>/16 -> (openvpn) port 1024:65535 round-robin

    : pfctl -s Interfaces


    I would like the NAT rule to use ovpnc2 exclusively and not OpenVPN.

  • So here's the resolution. Writing things down for my previous posts helped me to debug it.

    The answer was: create a new interface for the openvpn client use and then update the NAT rules to use that new interface.

    So to setup a vpn for your subnet behind pfsense, you need to do these three things:

    1. setup openvpn client
    2. create a new interface for the openvpn client dev
    3. create NAT rules for the new interface

    Point 2 is not necessary if you have exactly one openvpn something (=client or server) on pfsense. But it would be good practice to always create a new interface, as it avoids errors later on.

Log in to reply