Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CREATE RULE NAT OVER OPEN VPN SITE TO SITE TUNNEL

    OpenVPN
    4
    14
    1.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      charneval
      last edited by

      Hi.
      The public ip address of the site A is : 92.245.173.212 and I create a nat rule from any to the port 8080 of the nas 172.16.9.240 connected in the site B. This nat doesen’t work.
      I think the problem in the outgoing nat configuration.
      I connected the site B by an openvpn site to site and the pfsense in the site A can’t correct forward the packet.
      How can I configure the outbound nat by the openvpn tunnel.

      Thanks

      Andrea

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @charneval
        last edited by

        @charneval said in CREATE RULE NAT OVER OPEN VPN SITE TO SITE TUNNEL:

        The public ip address of the site A is : 92.245.173.212 and I create a nat rule from any to the port 8080 of the nas 172.16.9.240 connected in the site B.

        So at site A you have a port forwarding rule for destination WAN address 8080 to 172.16.9.240 8080, correct?

        If you don't need any information about the origin source address, you can simply masquerade the packets at site A.

        Are both VPN endpoints pfSense and are both the default gateway in their respective local network?

        C 1 Reply Last reply Reply Quote 0
        • C
          charneval @viragomann
          last edited by

          @viragomann said in CREATE RULE NAT OVER OPEN VPN SITE TO SITE TUNNEL:

          If you don't need any information about the origin source address, you can simply masquerade the packets at site A

          Hi.
          For masquerade the packets at site " A " I must do an Hybrid Outbound NAT rule generation right ?
          Do I have to mask all the packets of the wan arriving on the 8080 port towards the network configured in the openvpn?
          Or there is another method ?

          Thanks

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @charneval
            last edited by viragomann

            @charneval
            Yes, switch the Outbound NAT at A into hybrid mode.
            Then add a rule with at least these parameters:

            interface: the OpenVPN interface you have asigned to the VPN connection, if any, otherwise can also add it to OpenVPN (interface group)
            source: any
            destination: 172.16.9.240
            translation: interface address

            Or there is another method ?

            Other than masquerading? Yes, masquerading is a workaround, which is easy to configure. You can also forward it without NAT, but you would have to obey some precepts.

            C 1 Reply Last reply Reply Quote 0
            • C
              charneval @viragomann
              last edited by

              @viragomann
              Hi.
              Can you check if this configuration is correct ?
              I can't find the target

              http://euroservizi.hopto.org:8080

              tt1.jpg tt2.jpg tt3.jpg tt4.jpg

              I disable the nat rule in the wan but if enable it the problem is the same.

              When I connect by the oepnvpn client at the server " A " I have't any problem and I can reach the 172.16.9.240:8080

              Thanks

              Andrea

              V 1 Reply Last reply Reply Quote 0
              • V
                viragomann @charneval
                last edited by

                @charneval
                The source port in the Outbound NAT rule has to be any (according to the port forwarding rule). The source port is dynamic, not static.

                J 1 Reply Last reply Reply Quote 0
                • J
                  Jarhead @viragomann
                  last edited by

                  If you have a VPN between the sites, there's no need to port forward anything. Just set the appropriate rules.
                  Or maybe I'm missing something?

                  V 1 Reply Last reply Reply Quote 0
                  • V
                    viragomann @Jarhead
                    last edited by

                    @jarhead
                    Seems so.
                    We are talking here about forwarding requests from public internet sources to a device at the other site.

                    1 Reply Last reply Reply Quote 0
                    • C
                      charneval
                      last edited by

                      Hello.
                      i can't figure out where the error is and i would like to trace packets to see where they are blocked.
                      I try to enter on port 8080 (https://89.189.48.194:8080) which should send me back to the web server of the nas (172.16.9.240) behind the firewall 172.16.9.254 of the remote office (this is the site to site vpn client) .
                      Is nat's rule correct in your opinion?

                      in the remote firewall (client of the vpn) I don't have to do anything right?
                      He knows where to reroute the packet that should come to him from the VPN interface.

                      Thanks.nat1.jpg

                      V 1 Reply Last reply Reply Quote 0
                      • V
                        viragomann @charneval
                        last edited by

                        @charneval
                        Also the port translation box must be empty. However, basically it should work anyway.

                        Did you enable the port forwarding to 172.16.9.240:8080?

                        On the remote site you need you need to allow the incoming packets, either on the interface you've assigned to the VPN if any or on the OpenVPN tab.

                        which should send me back to the web server of the nas (172.16.9.240)

                        Is it a web server running as VM on the NAS or the web interface of the NAS itself?
                        A NAS typically blocks access from outside of it own subnet by default.

                        He knows where to reroute the packet that should come to him from the VPN interface.

                        The outbound NAT rule translates the source address of packets destined to the remote web server into the virtual IP of the OpenVPN server (or client, doesn't matter. btw. you didn't show the interface assignment. Is it the correct network port if you have multiple VPNs). So this is the IP the web server will see. That responses come back to the remote pfSense requires the it's the default gateway of course. Since the remote pfSense has a VPN with the servers IP it should route responses back properly.

                        1 Reply Last reply Reply Quote 0
                        • C
                          charneval
                          last edited by

                          Thanks to this fantastic forum I was able to solve my problem.
                          Thanks a lot to everyone and especially to @ viragomann

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.