NAT problem when openvpn connection from inside the LAN is made.

NAT
Log in to reply
  • D

    Hi!

    First of all, great product. I installed pfsense on an ALIX board to serve as a VDSL (50mbit/10mbit) router and so far it works great. There's only one thing I can't get my head around. I already asked this on #pfsense ( Thanks again Valen), maybe somebody here knows a way.

    Setup:
    pfsense 1.2.2  embedded (192.168.0.1) connects via PPOE on vr1.
    ubuntu server (192.168.0.2) is connected to pfsense via vr0.
    ubuntu client (192.168.0.10) is connected to pfsense via ath0
    Windows Client (192.168.0.20) is connected via Virtual Machine on the ubuntu server.
    The ubuntu server has a ssh and apache server that serve the world via NAT. Everything is working fine this way.

    Now, in addition to that I want to establish a VPN Connection from the ubuntu server (192.168.0.2) to a server on the internet. This is also working fine via openvpn installed and running on the ubuntu server. What is not working, is the NAT. Neither the ssh server nor the apache are responding anymore. Both the apache and the ssh server are still working when the connection is established from the ubuntu client within the LAN though.

    Curious whether this a linux routing problem I started Windows XP in Virtual Machine and tested the same scenario. Result: telnet was not going through to the XP client after I established the VPN Connection, before it was. Tested and confirmed.

    So, any ideas why pfsense is obviously not routing the packages coming from the NAT to the client, when a vpn connection is made, but does so for a connection from the LAN?

    Bottom Line: outgoing traffic from the ubuntu server should take the vpn connection, incoming connection from LAN or WAN should take the "normal route".

    Thanks for any advice on this topic.

    0
  • GruensFroeschli

    Are you using the redirect dev1 option on this OpenVPN tunnel?

    0
  • D

    Here is the openvpn config File I'm using. So unless it is in some other file, I'd say no.  ;)

    client
dev tun
remote xxx.xxx.xxx 1149
proto udp
tun-mtu 1500
fragment 1300
mssfix
float
reneg-sec 86400
resolv-retry infinite
nobind
persist-key
persist-tun
route-method exe
route-delay 2
ca xxx.crt
cert xxx.crt
key xxx.key
tls-auth xxx.key 1
cipher AES-256-CBC
comp-lzo
verb 4
ns-cert-type server
auth-user-pass
inactive 604800
ping 5
ping-restart 60
    0

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy