NAT problem when openvpn connection from inside the LAN is made.



  • Hi!

    First of all, great product. I installed pfsense on an ALIX board to serve as a VDSL (50mbit/10mbit) router and so far it works great. There's only one thing I can't get my head around. I already asked this on #pfsense ( Thanks again Valen), maybe somebody here knows a way.

    Setup:
    pfsense 1.2.2  embedded (192.168.0.1) connects via PPOE on vr1.
    ubuntu server (192.168.0.2) is connected to pfsense via vr0.
    ubuntu client (192.168.0.10) is connected to pfsense via ath0
    Windows Client (192.168.0.20) is connected via Virtual Machine on the ubuntu server.
    The ubuntu server has a ssh and apache server that serve the world via NAT. Everything is working fine this way.

    Now, in addition to that I want to establish a VPN Connection from the ubuntu server (192.168.0.2) to a server on the internet. This is also working fine via openvpn installed and running on the ubuntu server. What is not working, is the NAT. Neither the ssh server nor the apache are responding anymore. Both the apache and the ssh server are still working when the connection is established from the ubuntu client within the LAN though.

    Curious whether this a linux routing problem I started Windows XP in Virtual Machine and tested the same scenario. Result: telnet was not going through to the XP client after I established the VPN Connection, before it was. Tested and confirmed.

    So, any ideas why pfsense is obviously not routing the packages coming from the NAT to the client, when a vpn connection is made, but does so for a connection from the LAN?

    Bottom Line: outgoing traffic from the ubuntu server should take the vpn connection, incoming connection from LAN or WAN should take the "normal route".

    Thanks for any advice on this topic.



  • Are you using the redirect dev1 option on this OpenVPN tunnel?



  • Here is the openvpn config File I'm using. So unless it is in some other file, I'd say no.  ;)

    client
    dev tun
    remote xxx.xxx.xxx 1149
    proto udp
    tun-mtu 1500
    fragment 1300
    mssfix
    float
    reneg-sec 86400
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    route-method exe
    route-delay 2
    ca xxx.crt
    cert xxx.crt
    key xxx.key
    tls-auth xxx.key 1
    cipher AES-256-CBC
    comp-lzo
    verb 4
    ns-cert-type server
    auth-user-pass
    inactive 604800
    ping 5
    ping-restart 60
    

Log in to reply