Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    NAT/Masquerading from WAN to TUN

    Routing and Multi WAN
    2
    4
    82
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      AWeidner last edited by AWeidner

      I have got a problem setting up Routing/Masquerading from WAN to a host behind an OpenVPN tun interface.

      pfSense Setup:

      Client: 10.1.1.20 --> pfSense WAN: 10.1.1.10 --> pfSense TUN: 172.22.1.10 --> Server: 172.22.1.20

      The Server provides a Web Interface on port 443 and a SMB share on port 445. It is reachable with ICMP.

      I set up two routes on the client:

      • ip route add 172.22.1.10 via 10.1.1.10
      • ip route add 172.22.1.20 via 10.1.1.10

      Results:

      • The client cannot ping or connect to the server.
      • The client can ping the pfSense TUN interface.
      • From the pfSense Console, i can access the services on the host and send a ping to it.

      I suppose some kind of masquerading is needed for the client to access the server but i have no idea, how to set it up.

      Additional Info: NAT is set to manual on the pfSense. So far no NAT rules have been entered.

      Any help would be appreciated.

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @AWeidner last edited by

        @AWeidner said in NAT/Masquerading from WAN to TUN:

        I set up two routes on the client:

        ip route add 172.22.1.10 via 10.1.1.10
        ip route add 172.22.1.20 via 10.1.1.10

        The problem is on the server. It has no route back to the client.

        You can either configure the VPN so that the server uses the VPN gateway as default route or add a route to the server for the clients network pointing to pfSense.
        If the server is the VPN client and it pulls routes you may set this on pfSense.

        It can also be done by masquerading on pfSense, but that would be only a workaround.

        A 1 Reply Last reply Reply Quote 0
        • A
          AWeidner @viragomann last edited by AWeidner

          @viragomann said in NAT/Masquerading from WAN to TUN:

          @AWeidner said in NAT/Masquerading from WAN to TUN:

          It can also be done by masquerading on pfSense, but that would be only a workaround.

          I would be interested in that workaround because i am just the client for the VPN connection as well as the server. Meaning i cannot change anything about those two parts.

          1 Reply Last reply Reply Quote 0
          • V
            viragomann last edited by

            That can be done with outbound NAT in pfSense.
            Firewall > NAT > Outbound

            By default it is working in automatic mode. To apply manual rules, switch into hybrid mode first and save it.

            Then add a new rule:
            interface: OpenVPN (or a specific one you may have assigned to that OpenVPN instance)
            source: the clients IP (CIDR) or the clients network
            destination: the servers IP
            translation: interface address

            1 Reply Last reply Reply Quote 0
            • First post
              Last post

            Products

            • Platform Overview
            • TNSR
            • pfSense
            • Appliances

            Services

            • Training
            • Professional Services

            Support

            • Subscription Plans
            • Contact Support
            • Product Lifecycle
            • Documentation

            News

            • Media Coverage
            • Press
            • Events

            Resources

            • Blog
            • FAQ
            • Find a Partner
            • Resource Library
            • Security Information

            Company

            • About Us
            • Careers
            • Partners
            • Contact Us
            • Legal
            Our Mission

            We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

            Subscribe to our Newsletter

            Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

            © 2021 Rubicon Communications, LLC | Privacy Policy