NATting WAN>OpenVPN>Web Server - Working Intermittently



  • I have two pfsense routers connected to each other (OpenVPN).
    Each router has their own WAN interface.

    I'm trying to NAT requests from a WAN interface to a server sitting on the other side of the tunnel.

    I got it working by creating a Source/Outbound NAT. However, it's working intermittently.
    The problem is the packets are going out the wrong interface sometimes.

    See the illustration below to see what's happening.
    RED = request
    GREEN = response

    Illustration



  • @ITBoneHead said in NATting WAN>OpenVPN>Web Server - Working Intermittently:

    I got it working by creating a Source/Outbound NAT

    Where? Show the rule.

    Post the routing table of both boxes.



  • I figured it out.

    Initially, the packet below would travel correcly, like so:
    REQUEST: Client -> Site B WAN -> Site A Webserver
    RESPONSE: Site A Webserver -> Site B WAN -> Client

    Occasianally, this would happen:
    REQUEST: Client -> Site B WAN -> Site A Webserver
    RESPONSE: Site A Webserver -> Site A WAN -> Lost/dropped packet
    The packet is going out the wrong WAN, thus getting dropped

    See diagram:

    +-----------------+---------------------------------------+-------------------+-----------------+
    |    Internet     |                Site A                 |      Site B       |     Internet    |
    |                 |                                       |                   |                 |
    |                 |                                       |                   |                 |
    |                 |                                       |                   |                 |
    |                 |                                       |                   |    Packet       |
    |        <-----------------------------------------------------------------------------------+  |
    |                 |                                       |                   |              |  |
    |                 |                                       |                   |              |  |
    |                 |                                       |                   |              |  |
    |                 |                                       |                   |              |  |
    |                 |            +---+          +---+       |       +---+       |      +---+   |  |
    |                 |            |   |          |   |       |       |   |       |      |   |   |  |
    |           +-----+-----+      |   |          |   | +-----+-----+ |   | +-----+----+ |   |   +  |
    |                WAN           |   |          |   |    OPENVPN    |   |      WAN     |   |      |
    |              1.1.1.1         +---+          +---+       |       +---+    2.2.2.2   +---+      |
    |                 |            Web           pfsense      |      pfsense      |   Client        |
    |                 |            Server        10.0.1.0/24  |      10.0.2.0/24  |                 |
    |                 |            10.0.1.100                 |                   |                 |
    |                 |                                       |                   |                 |
    +-----------------+---------------------------------------+-------------------+-----------------+
    
    Site B
        NAT
        +-----------+----------+----------------+--------------+---------------+-------------+------------+-------------+-------------------------------------+
        | Interface | Protocol | Source Address | Source Ports | Dest. Address | Dest. Ports | NAT IP     | NAT Ports   | Description                         |
        +-----------+----------+----------------+--------------+---------------+-------------+------------+-------------+-------------------------------------+
        | WAN       | TCP      | *              | *            | WAN address   | 443 (HTTPS) | 10.0.1.100 | 443 (HTTPS) | Site B Internet to Site A Webserver |
        +-----------+----------+----------------+--------------+---------------+-------------+------------+-------------+-------------------------------------+
    
        Site B Outbound (Source) NAT
        +-----------+--------+-------------+---------------+------------------+-----------------+----------+-------------+-------------+---------+
        | Interface | Source | Source Port | Destination   | Destination Port | NAT Address     | NAT Port | Static Port | Description | Actions |
        +-----------+--------+-------------+---------------+------------------+-----------------+----------+-------------+-------------+---------+
        | OpenVPN   | any    | *           | 10.0.1.100/32 | 443 (HTTPS)      | OpenVPN address | 443      |             |             |         |
        +-----------+--------+-------------+---------------+------------------+-----------------+----------+-------------+-------------+---------+
    
    Site A
        Firewall Rules
        OpenVpn Interface (interface not assigned)
        +--------+----------+--------+------+----------------+------+---------+-------+----------+-------------+---------+
        | States | Protocol | Source | Port | Destination    | Port | Gateway | Queue | Schedule | Description | Actions |
        +--------+----------+--------+------+----------------+------+---------+-------+----------+-------------+---------+
        | 0 /0 B | IPv4 *   | *      | *    | SITE_A_LAN net | *    | *       | none  |          |             |         |
        +--------+----------+--------+------+----------------+------+---------+-------+----------+-------------+---------+
    

    The fix was to assign Site A's OpenVPN connection as an interface and create the firewall rule there instead. Also, you no longer need a Source NAT at Site B.
    The combination of rules to get the packet routing back to Site B's WAN consistently is below:

    +-----------------+---------------------------------------+-------------------+-----------------+
    |    Internet     |                Site A                 |      Site B       |     Internet    |
    |                 |                                       |                   |                 |
    |                 |                                       |                   |                 |
    |                 |                                       |                   |                 |
    |                 |                                       |                   |     Packet      |
    |                 |           +--------------------------------------------------------------+  |
    |                 |           |                           |                   |              |  |
    |                 |           +------------------------------------------------------------+ |  |
    |                 |                                       |                   |            | |  |
    |                 |                                       |                   |            | |  |
    |                 |            +---+          +---+       |       +---+       |      +---+ | |  |
    |                 |            |   |          |   |       |       |   |       |      |   | | |  |
    |           +-----+-----+      |   |          |   | +-----+-----+ |   | +-----+----+ |   | v +  |
    |                WAN           |   |          |   |    OPENVPN    |   |      WAN     |   |      |
    |              1.1.1.1         +---+          +---+       |       +---+    2.2.2.2   +---+      |
    |                 |            Web           pfsense      |      pfsense      |   Client        |
    |                 |            Server        10.0.1.0/24  |      10.0.2.0/24  |                 |
    |                 |            10.0.1.100                 |                   |                 |
    |                 |                                       |                   |                 |
    +-----------------+---------------------------------------+-------------------+-----------------+
    
    Site B
        NAT
        +-----------+----------+----------------+--------------+---------------+-------------+------------+-------------+-------------------------------------+
        | Interface | Protocol | Source Address | Source Ports | Dest. Address | Dest. Ports | NAT IP     | NAT Ports   | Description                         |
        +-----------+----------+----------------+--------------+---------------+-------------+------------+-------------+-------------------------------------+
        | WAN       | TCP      | *              | *            | WAN address   | 443 (HTTPS) | 10.0.1.100 | 443 (HTTPS) | Site B Internet to Site A Webserver |
        +-----------+----------+----------------+--------------+---------------+-------------+------------+-------------+-------------------------------------+
    
    
    Site A
        Firewall Rules
        OpenVpn Interface (assigned interface)
        +--------+----------+--------+------+----------------+------+---------+-------+----------+-------------+---------+
        | States | Protocol | Source | Port | Destination    | Port | Gateway | Queue | Schedule | Description | Actions |
        +--------+----------+--------+------+----------------+------+---------+-------+----------+-------------+---------+
        | 0 /0 B | IPv4 *   | *      | *    | SITE_A_LAN net | *    | *       | none  |          |             |         |
        +--------+----------+--------+------+----------------+------+---------+-------+----------+-------------+---------+
    
    

Log in to reply