Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT/Masquerading from WAN to TUN

    Scheduled Pinned Locked Moved Routing and Multi WAN
    4 Posts 2 Posters 946 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      AWeidner
      last edited by AWeidner

      I have got a problem setting up Routing/Masquerading from WAN to a host behind an OpenVPN tun interface.

      pfSense Setup:

      Client: 10.1.1.20 --> pfSense WAN: 10.1.1.10 --> pfSense TUN: 172.22.1.10 --> Server: 172.22.1.20

      The Server provides a Web Interface on port 443 and a SMB share on port 445. It is reachable with ICMP.

      I set up two routes on the client:

      • ip route add 172.22.1.10 via 10.1.1.10
      • ip route add 172.22.1.20 via 10.1.1.10

      Results:

      • The client cannot ping or connect to the server.
      • The client can ping the pfSense TUN interface.
      • From the pfSense Console, i can access the services on the host and send a ping to it.

      I suppose some kind of masquerading is needed for the client to access the server but i have no idea, how to set it up.

      Additional Info: NAT is set to manual on the pfSense. So far no NAT rules have been entered.

      Any help would be appreciated.

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @AWeidner
        last edited by

        @AWeidner said in NAT/Masquerading from WAN to TUN:

        I set up two routes on the client:

        ip route add 172.22.1.10 via 10.1.1.10
        ip route add 172.22.1.20 via 10.1.1.10

        The problem is on the server. It has no route back to the client.

        You can either configure the VPN so that the server uses the VPN gateway as default route or add a route to the server for the clients network pointing to pfSense.
        If the server is the VPN client and it pulls routes you may set this on pfSense.

        It can also be done by masquerading on pfSense, but that would be only a workaround.

        A 1 Reply Last reply Reply Quote 0
        • A
          AWeidner @viragomann
          last edited by AWeidner

          @viragomann said in NAT/Masquerading from WAN to TUN:

          @AWeidner said in NAT/Masquerading from WAN to TUN:

          It can also be done by masquerading on pfSense, but that would be only a workaround.

          I would be interested in that workaround because i am just the client for the VPN connection as well as the server. Meaning i cannot change anything about those two parts.

          1 Reply Last reply Reply Quote 0
          • V
            viragomann
            last edited by

            That can be done with outbound NAT in pfSense.
            Firewall > NAT > Outbound

            By default it is working in automatic mode. To apply manual rules, switch into hybrid mode first and save it.

            Then add a new rule:
            interface: OpenVPN (or a specific one you may have assigned to that OpenVPN instance)
            source: the clients IP (CIDR) or the clients network
            destination: the servers IP
            translation: interface address

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.