Trouble with hairpin nat using a client vpn for selected routing.
-
I created a vpn a client today for my paid vpn service to route specific traffic through it. I duplicated the LAN to WAN nat rule and changed it to the VPN interface. I set my LAN to use the WAN gateway then set up a rule for a single IP to use the VPN gateway, just as a small test. While the selective routing is working well, I noticed that hairpin NAT isn't working properly. I noticed all my hosted services on LAN are not accessible internally with my domain. I realized the services still works fine when I'm on mobile data so that was a relief. I then realize the issue lies when having the gateway specifically set in the Lan allow all rule. But can anyone share ideas as to what's happening?
I plan to use vlans in the future and I tried with just one but also had errors of either no internet or no hairpin nat. I can provide any info you need like screenshots but I disabled everything for now because it was getting late.
-
@biggyk
Possibly you cannot resolve the hostname with that setup.
If you use DNS for resolving (with DNS overriedes) you have to add a firewall rule allowing DNS access to the interface address (This Firewall) without specifying a gateway. -
@viragomann Okay thanks, Il look into that and report back.
On another note, my ultimate plan is to segregate my network into a few vlans. While troubleshooting this issue, I reverted the gateway on that LAN rule to default. Created a vlan and changed the outbound nat for the VPN interface to the source of 10.0.30.0 (the vlan). Well, I got my nat reflection working properly, but I lost all internet across my entire network.
-
@biggyk
Check out the routing table on pfSense. VPN providers usually push the default route to the clients. So possibly the whole traffic is directed out to the vpn.To avoid that check "Don't pull routes" in the client settings.
-
@viragomann Okay I think im getting somewhere with this using a vlan. Iv set it up. Havent assigned anything to that vlan yet but I still have internet so that's a good sign. I might try again with a single LAN just to see.