NAT/Masquerading from WAN to TUN



  • I have got a problem setting up Routing/Masquerading from WAN to a host behind an OpenVPN tun interface.

    pfSense Setup:

    Client: 10.1.1.20 --> pfSense WAN: 10.1.1.10 --> pfSense TUN: 172.22.1.10 --> Server: 172.22.1.20
    

    The Server provides a Web Interface on port 443 and a SMB share on port 445. It is reachable with ICMP.

    I set up two routes on the client:

    • ip route add 172.22.1.10 via 10.1.1.10
    • ip route add 172.22.1.20 via 10.1.1.10

    Results:

    • The client cannot ping or connect to the server.
    • The client can ping the pfSense TUN interface.
    • From the pfSense Console, i can access the services on the host and send a ping to it.

    I suppose some kind of masquerading is needed for the client to access the server but i have no idea, how to set it up.

    Additional Info: NAT is set to manual on the pfSense. So far no NAT rules have been entered.

    Any help would be appreciated.



  • @AWeidner said in NAT/Masquerading from WAN to TUN:

    I set up two routes on the client:

    ip route add 172.22.1.10 via 10.1.1.10
    ip route add 172.22.1.20 via 10.1.1.10

    The problem is on the server. It has no route back to the client.

    You can either configure the VPN so that the server uses the VPN gateway as default route or add a route to the server for the clients network pointing to pfSense.
    If the server is the VPN client and it pulls routes you may set this on pfSense.

    It can also be done by masquerading on pfSense, but that would be only a workaround.



  • @viragomann said in NAT/Masquerading from WAN to TUN:

    @AWeidner said in NAT/Masquerading from WAN to TUN:

    It can also be done by masquerading on pfSense, but that would be only a workaround.

    I would be interested in that workaround because i am just the client for the VPN connection as well as the server. Meaning i cannot change anything about those two parts.



  • That can be done with outbound NAT in pfSense.
    Firewall > NAT > Outbound

    By default it is working in automatic mode. To apply manual rules, switch into hybrid mode first and save it.

    Then add a new rule:
    interface: OpenVPN (or a specific one you may have assigned to that OpenVPN instance)
    source: the clients IP (CIDR) or the clients network
    destination: the servers IP
    translation: interface address


Log in to reply