1. Home
  2. pfSense® Software
  3. Routing and Multi WAN
  4. NAT/Masquerading from WAN to TUN

NAT/Masquerading from WAN to TUN

  • A

    I have got a problem setting up Routing/Masquerading from WAN to a host behind an OpenVPN tun interface.

    pfSense Setup:

    Client: 10.1.1.20 --> pfSense WAN: 10.1.1.10 --> pfSense TUN: 172.22.1.10 --> Server: 172.22.1.20

    The Server provides a Web Interface on port 443 and a SMB share on port 445. It is reachable with ICMP.

    I set up two routes on the client:

    • ip route add 172.22.1.10 via 10.1.1.10
    • ip route add 172.22.1.20 via 10.1.1.10

    Results:

    • The client cannot ping or connect to the server.
    • The client can ping the pfSense TUN interface.
    • From the pfSense Console, i can access the services on the host and send a ping to it.

    I suppose some kind of masquerading is needed for the client to access the server but i have no idea, how to set it up.

    Additional Info: NAT is set to manual on the pfSense. So far no NAT rules have been entered.

    Any help would be appreciated.

    0 V 1 Reply
  • V

    @AWeidner said in NAT/Masquerading from WAN to TUN:

    I set up two routes on the client:

    ip route add 172.22.1.10 via 10.1.1.10
    ip route add 172.22.1.20 via 10.1.1.10

    The problem is on the server. It has no route back to the client.

    You can either configure the VPN so that the server uses the VPN gateway as default route or add a route to the server for the clients network pointing to pfSense.
    If the server is the VPN client and it pulls routes you may set this on pfSense.

    It can also be done by masquerading on pfSense, but that would be only a workaround.

    0 A 1 Reply
  • A

    @viragomann said in NAT/Masquerading from WAN to TUN:

    @AWeidner said in NAT/Masquerading from WAN to TUN:

    It can also be done by masquerading on pfSense, but that would be only a workaround.

    I would be interested in that workaround because i am just the client for the VPN connection as well as the server. Meaning i cannot change anything about those two parts.

    0
  • V

    That can be done with outbound NAT in pfSense.
    Firewall > NAT > Outbound

    By default it is working in automatic mode. To apply manual rules, switch into hybrid mode first and save it.

    Then add a new rule:
    interface: OpenVPN (or a specific one you may have assigned to that OpenVPN instance)
    source: the clients IP (CIDR) or the clients network
    destination: the servers IP
    translation: interface address

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy