NATting WAN>OpenVPN>Web Server - Working Intermittently
-
I have two pfsense routers connected to each other (OpenVPN).
Each router has their own WAN interface.I'm trying to NAT requests from a WAN interface to a server sitting on the other side of the tunnel.
I got it working by creating a Source/Outbound NAT. However, it's working intermittently.
The problem is the packets are going out the wrong interface sometimes.See the illustration below to see what's happening.
RED = request
GREEN = response -
@ITBoneHead said in NATting WAN>OpenVPN>Web Server - Working Intermittently:
I got it working by creating a Source/Outbound NAT
Where? Show the rule.
Post the routing table of both boxes.
-
I figured it out.
Initially, the packet below would travel correcly, like so:
REQUEST: Client -> Site B WAN -> Site A Webserver
RESPONSE: Site A Webserver -> Site B WAN -> ClientOccasianally, this would happen:
REQUEST: Client -> Site B WAN -> Site A Webserver
RESPONSE: Site A Webserver -> Site A WAN -> Lost/dropped packet
The packet is going out the wrong WAN, thus getting droppedSee diagram:
+-----------------+---------------------------------------+-------------------+-----------------+ | Internet | Site A | Site B | Internet | | | | | | | | | | | | | | | | | | | | Packet | | <-----------------------------------------------------------------------------------+ | | | | | | | | | | | | | | | | | | | | | | | | | | | +---+ +---+ | +---+ | +---+ | | | | | | | | | | | | | | | | | +-----+-----+ | | | | +-----+-----+ | | +-----+----+ | | + | | WAN | | | | OPENVPN | | WAN | | | | 1.1.1.1 +---+ +---+ | +---+ 2.2.2.2 +---+ | | | Web pfsense | pfsense | Client | | | Server 10.0.1.0/24 | 10.0.2.0/24 | | | | 10.0.1.100 | | | | | | | | +-----------------+---------------------------------------+-------------------+-----------------+ Site B NAT +-----------+----------+----------------+--------------+---------------+-------------+------------+-------------+-------------------------------------+ | Interface | Protocol | Source Address | Source Ports | Dest. Address | Dest. Ports | NAT IP | NAT Ports | Description | +-----------+----------+----------------+--------------+---------------+-------------+------------+-------------+-------------------------------------+ | WAN | TCP | * | * | WAN address | 443 (HTTPS) | 10.0.1.100 | 443 (HTTPS) | Site B Internet to Site A Webserver | +-----------+----------+----------------+--------------+---------------+-------------+------------+-------------+-------------------------------------+ Site B Outbound (Source) NAT +-----------+--------+-------------+---------------+------------------+-----------------+----------+-------------+-------------+---------+ | Interface | Source | Source Port | Destination | Destination Port | NAT Address | NAT Port | Static Port | Description | Actions | +-----------+--------+-------------+---------------+------------------+-----------------+----------+-------------+-------------+---------+ | OpenVPN | any | * | 10.0.1.100/32 | 443 (HTTPS) | OpenVPN address | 443 | | | | +-----------+--------+-------------+---------------+------------------+-----------------+----------+-------------+-------------+---------+ Site A Firewall Rules OpenVpn Interface (interface not assigned) +--------+----------+--------+------+----------------+------+---------+-------+----------+-------------+---------+ | States | Protocol | Source | Port | Destination | Port | Gateway | Queue | Schedule | Description | Actions | +--------+----------+--------+------+----------------+------+---------+-------+----------+-------------+---------+ | 0 /0 B | IPv4 * | * | * | SITE_A_LAN net | * | * | none | | | | +--------+----------+--------+------+----------------+------+---------+-------+----------+-------------+---------+
The fix was to assign Site A's OpenVPN connection as an interface and create the firewall rule there instead. Also, you no longer need a Source NAT at Site B.
The combination of rules to get the packet routing back to Site B's WAN consistently is below:+-----------------+---------------------------------------+-------------------+-----------------+ | Internet | Site A | Site B | Internet | | | | | | | | | | | | | | | | | | | | Packet | | | +--------------------------------------------------------------+ | | | | | | | | | | +------------------------------------------------------------+ | | | | | | | | | | | | | | | | | | +---+ +---+ | +---+ | +---+ | | | | | | | | | | | | | | | | | | | +-----+-----+ | | | | +-----+-----+ | | +-----+----+ | | v + | | WAN | | | | OPENVPN | | WAN | | | | 1.1.1.1 +---+ +---+ | +---+ 2.2.2.2 +---+ | | | Web pfsense | pfsense | Client | | | Server 10.0.1.0/24 | 10.0.2.0/24 | | | | 10.0.1.100 | | | | | | | | +-----------------+---------------------------------------+-------------------+-----------------+ Site B NAT +-----------+----------+----------------+--------------+---------------+-------------+------------+-------------+-------------------------------------+ | Interface | Protocol | Source Address | Source Ports | Dest. Address | Dest. Ports | NAT IP | NAT Ports | Description | +-----------+----------+----------------+--------------+---------------+-------------+------------+-------------+-------------------------------------+ | WAN | TCP | * | * | WAN address | 443 (HTTPS) | 10.0.1.100 | 443 (HTTPS) | Site B Internet to Site A Webserver | +-----------+----------+----------------+--------------+---------------+-------------+------------+-------------+-------------------------------------+ Site A Firewall Rules OpenVpn Interface (assigned interface) +--------+----------+--------+------+----------------+------+---------+-------+----------+-------------+---------+ | States | Protocol | Source | Port | Destination | Port | Gateway | Queue | Schedule | Description | Actions | +--------+----------+--------+------+----------------+------+---------+-------+----------+-------------+---------+ | 0 /0 B | IPv4 * | * | * | SITE_A_LAN net | * | * | none | | | | +--------+----------+--------+------+----------------+------+---------+-------+----------+-------------+---------+