Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NATting WAN>OpenVPN>Web Server - Working Intermittently

    Scheduled Pinned Locked Moved NAT
    3 Posts 2 Posters 442 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      ITBoneHead
      last edited by

      I have two pfsense routers connected to each other (OpenVPN).
      Each router has their own WAN interface.

      I'm trying to NAT requests from a WAN interface to a server sitting on the other side of the tunnel.

      I got it working by creating a Source/Outbound NAT. However, it's working intermittently.
      The problem is the packets are going out the wrong interface sometimes.

      See the illustration below to see what's happening.
      RED = request
      GREEN = response

      Illustration

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @ITBoneHead
        last edited by

        @ITBoneHead said in NATting WAN>OpenVPN>Web Server - Working Intermittently:

        I got it working by creating a Source/Outbound NAT

        Where? Show the rule.

        Post the routing table of both boxes.

        1 Reply Last reply Reply Quote 0
        • I
          ITBoneHead
          last edited by ITBoneHead

          I figured it out.

          Initially, the packet below would travel correcly, like so:
          REQUEST: Client -> Site B WAN -> Site A Webserver
          RESPONSE: Site A Webserver -> Site B WAN -> Client

          Occasianally, this would happen:
          REQUEST: Client -> Site B WAN -> Site A Webserver
          RESPONSE: Site A Webserver -> Site A WAN -> Lost/dropped packet
          The packet is going out the wrong WAN, thus getting dropped

          See diagram:

          +-----------------+---------------------------------------+-------------------+-----------------+
|    Internet     |                Site A                 |      Site B       |     Internet    |
|                 |                                       |                   |                 |
|                 |                                       |                   |                 |
|                 |                                       |                   |                 |
|                 |                                       |                   |    Packet       |
|        <-----------------------------------------------------------------------------------+  |
|                 |                                       |                   |              |  |
|                 |                                       |                   |              |  |
|                 |                                       |                   |              |  |
|                 |                                       |                   |              |  |
|                 |            +---+          +---+       |       +---+       |      +---+   |  |
|                 |            |   |          |   |       |       |   |       |      |   |   |  |
|           +-----+-----+      |   |          |   | +-----+-----+ |   | +-----+----+ |   |   +  |
|                WAN           |   |          |   |    OPENVPN    |   |      WAN     |   |      |
|              1.1.1.1         +---+          +---+       |       +---+    2.2.2.2   +---+      |
|                 |            Web           pfsense      |      pfsense      |   Client        |
|                 |            Server        10.0.1.0/24  |      10.0.2.0/24  |                 |
|                 |            10.0.1.100                 |                   |                 |
|                 |                                       |                   |                 |
+-----------------+---------------------------------------+-------------------+-----------------+

Site B
    NAT
    +-----------+----------+----------------+--------------+---------------+-------------+------------+-------------+-------------------------------------+
    | Interface | Protocol | Source Address | Source Ports | Dest. Address | Dest. Ports | NAT IP     | NAT Ports   | Description                         |
    +-----------+----------+----------------+--------------+---------------+-------------+------------+-------------+-------------------------------------+
    | WAN       | TCP      | *              | *            | WAN address   | 443 (HTTPS) | 10.0.1.100 | 443 (HTTPS) | Site B Internet to Site A Webserver |
    +-----------+----------+----------------+--------------+---------------+-------------+------------+-------------+-------------------------------------+

    Site B Outbound (Source) NAT
    +-----------+--------+-------------+---------------+------------------+-----------------+----------+-------------+-------------+---------+
    | Interface | Source | Source Port | Destination   | Destination Port | NAT Address     | NAT Port | Static Port | Description | Actions |
    +-----------+--------+-------------+---------------+------------------+-----------------+----------+-------------+-------------+---------+
    | OpenVPN   | any    | *           | 10.0.1.100/32 | 443 (HTTPS)      | OpenVPN address | 443      |             |             |         |
    +-----------+--------+-------------+---------------+------------------+-----------------+----------+-------------+-------------+---------+

Site A
    Firewall Rules
    OpenVpn Interface (interface not assigned)
    +--------+----------+--------+------+----------------+------+---------+-------+----------+-------------+---------+
    | States | Protocol | Source | Port | Destination    | Port | Gateway | Queue | Schedule | Description | Actions |
    +--------+----------+--------+------+----------------+------+---------+-------+----------+-------------+---------+
    | 0 /0 B | IPv4 *   | *      | *    | SITE_A_LAN net | *    | *       | none  |          |             |         |
    +--------+----------+--------+------+----------------+------+---------+-------+----------+-------------+---------+

          The fix was to assign Site A's OpenVPN connection as an interface and create the firewall rule there instead. Also, you no longer need a Source NAT at Site B.
          The combination of rules to get the packet routing back to Site B's WAN consistently is below:

          +-----------------+---------------------------------------+-------------------+-----------------+
|    Internet     |                Site A                 |      Site B       |     Internet    |
|                 |                                       |                   |                 |
|                 |                                       |                   |                 |
|                 |                                       |                   |                 |
|                 |                                       |                   |     Packet      |
|                 |           +--------------------------------------------------------------+  |
|                 |           |                           |                   |              |  |
|                 |           +------------------------------------------------------------+ |  |
|                 |                                       |                   |            | |  |
|                 |                                       |                   |            | |  |
|                 |            +---+          +---+       |       +---+       |      +---+ | |  |
|                 |            |   |          |   |       |       |   |       |      |   | | |  |
|           +-----+-----+      |   |          |   | +-----+-----+ |   | +-----+----+ |   | v +  |
|                WAN           |   |          |   |    OPENVPN    |   |      WAN     |   |      |
|              1.1.1.1         +---+          +---+       |       +---+    2.2.2.2   +---+      |
|                 |            Web           pfsense      |      pfsense      |   Client        |
|                 |            Server        10.0.1.0/24  |      10.0.2.0/24  |                 |
|                 |            10.0.1.100                 |                   |                 |
|                 |                                       |                   |                 |
+-----------------+---------------------------------------+-------------------+-----------------+

Site B
    NAT
    +-----------+----------+----------------+--------------+---------------+-------------+------------+-------------+-------------------------------------+
    | Interface | Protocol | Source Address | Source Ports | Dest. Address | Dest. Ports | NAT IP     | NAT Ports   | Description                         |
    +-----------+----------+----------------+--------------+---------------+-------------+------------+-------------+-------------------------------------+
    | WAN       | TCP      | *              | *            | WAN address   | 443 (HTTPS) | 10.0.1.100 | 443 (HTTPS) | Site B Internet to Site A Webserver |
    +-----------+----------+----------------+--------------+---------------+-------------+------------+-------------+-------------------------------------+


Site A
    Firewall Rules
    OpenVpn Interface (assigned interface)
    +--------+----------+--------+------+----------------+------+---------+-------+----------+-------------+---------+
    | States | Protocol | Source | Port | Destination    | Port | Gateway | Queue | Schedule | Description | Actions |
    +--------+----------+--------+------+----------------+------+---------+-------+----------+-------------+---------+
    | 0 /0 B | IPv4 *   | *      | *    | SITE_A_LAN net | *    | *       | none  |          |             |         |
    +--------+----------+--------+------+----------------+------+---------+-------+----------+-------------+---------+
          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.