Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Trouble with hairpin nat using a client vpn for selected routing.

    Scheduled Pinned Locked Moved NAT
    5 Posts 2 Posters 454 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      biggyk
      last edited by

      I created a vpn a client today for my paid vpn service to route specific traffic through it. I duplicated the LAN to WAN nat rule and changed it to the VPN interface. I set my LAN to use the WAN gateway then set up a rule for a single IP to use the VPN gateway, just as a small test. While the selective routing is working well, I noticed that hairpin NAT isn't working properly. I noticed all my hosted services on LAN are not accessible internally with my domain. I realized the services still works fine when I'm on mobile data so that was a relief. I then realize the issue lies when having the gateway specifically set in the Lan allow all rule. But can anyone share ideas as to what's happening?

      I plan to use vlans in the future and I tried with just one but also had errors of either no internet or no hairpin nat. I can provide any info you need like screenshots but I disabled everything for now because it was getting late.

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @biggyk
        last edited by

        @biggyk
        Possibly you cannot resolve the hostname with that setup.
        If you use DNS for resolving (with DNS overriedes) you have to add a firewall rule allowing DNS access to the interface address (This Firewall) without specifying a gateway.

        B 1 Reply Last reply Reply Quote 0
        • B
          biggyk @viragomann
          last edited by

          @viragomann Okay thanks, Il look into that and report back.

          On another note, my ultimate plan is to segregate my network into a few vlans. While troubleshooting this issue, I reverted the gateway on that LAN rule to default. Created a vlan and changed the outbound nat for the VPN interface to the source of 10.0.30.0 (the vlan). Well, I got my nat reflection working properly, but I lost all internet across my entire network.

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @biggyk
            last edited by

            @biggyk
            Check out the routing table on pfSense. VPN providers usually push the default route to the clients. So possibly the whole traffic is directed out to the vpn.

            To avoid that check "Don't pull routes" in the client settings.

            B 1 Reply Last reply Reply Quote 0
            • B
              biggyk @viragomann
              last edited by

              @viragomann Okay I think im getting somewhere with this using a vlan. Iv set it up. Havent assigned anything to that vlan yet but I still have internet so that's a good sign. I might try again with a single LAN just to see.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.