1:1 NAT through Open
-
Hi folks,
I'm trying to configure 1:1 NAT for an address behind a VPN.
I have a site-to-site VPN server called relay. relay has a main WAN address of x.x.x.139, and a handful of virtual IPs coming off of WANs gateway.
Then, I have a site-to-site VPN client called router. router runs 192.168.129.0/24, which uses the relay VPN connection as its gateway. I've set x.x.x.146 to 1:1 NAT with 192.168.129.11. I'm able to browse, ping, or ssh to .146 and get into .11 reliably from anywhere, so I know the inbound side of the 1:1 NAT works.
The trouble is everything outbound from 192.168.129.11 looks like it's coming from x.x.x.139 (relay's main WAN address), as opposed to x.x.x.146 (the VIP it's 1:1 NATed to).
The problem looks like what's described here: https://pfsense-docs.readthedocs.io/en/latest/nat/troubleshooting-1-1-nat.html
But, I'm not running any sort of proxy (that I'm aware of), other than perhaps the VPN itself. The fact that inbound works perfectly makes me think this should be possible.
The grand goal here is to do a more heavy duty version of what https://portmap.io/ does.
Somewhat separately, I've wondered if I'm doing too much routing and not enough switching. To that end, I've investigated running OpenVPN in TAP as opposed to TUN mode, but in order for everything to get bridged/DHCPed properly it looks like router would have to be the VPN server as opposed to relay (which defeats the point).
Thanks
-
@exotic_chocolate said in 1:1 NAT through Open:
The trouble is everything outbound from 192.168.129.11 looks like it's coming from x.x.x.139 (relay's main WAN address), as opposed to x.x.x.146 (the VIP it's 1:1 NATed to).
So obviously you have an outbound NAT rule on the WAN matching the source IP 192.168.129.11.
Presumably this rule is processed first and so the 1:1 is skipped.Try to remove that outbound NAT rule or edit it so that it doesn't match.
You may also add a separate outbound NAT rule for that source IP to the top of the rule set, translating to x.x.x.146. -
Thank you @viragomann, that did the trick!
For anyone who is interested, here are my notes:
On relay, outbound NAT set to Manual
relay rule for 192.168.130.0/24 uses WAN address for NAT
1:1 is setup on relay, mapping x.146 to 192.168.129.11
ip shows as .139Same as above, except outbound NAT mode set to disabled
no outbound trafficReset to first configuration.
Disabled outbound NAT on router
ip shows as .146!Re-enabled outbound NAT on router, but disabled it for the 129.0/24 network