OpenVPN server *behind* pfSense firewall - cannot reach Internet
-
I found the firewall script I had running on the old system where this setup was working (and had been for some time). It definitely has some custom masquerade rules, so I've just got to figure out the right way to covert them into PFsense.
Will advise.
-
@soonerdave
The masquerading should be done on the VPN box.
This means, it translates the source IP in packets, which are going into your network, into its local IP. -
@viragomann Right or wrong, that's not how it was done before. It was done in my firewall.
-
@soonerdave
I‘ve no idea, how you can solve this only on the router. I mentioned the options I know above.
But if you have it come back and let us know, please. -
@viragomann Oh, believe me, I feel totally stupid for not having done a more comprehensive job of documenting the previous, working firewall setup. I documented only the ports I forwarded, but not the masquerade rules. Totally dummy on me.
-
@viragomann SOLVED!! And props to you for nailing the problem.
My cohort who actually uses the box messaged me this morning and told me he had to fix the NAT on his box with the new IP it had been assigned. I have never set up an OpenVPN device for my own purposes, so I wasn't aware there was local NATting going on. I just made sure the firewall was opened up as needed, which is why I assumed I'd done something wrong on my side when I moved the setup to pfSense. Had I preserved his IP none of this would have happened. I've learned something new, and that's a good thing.
Problem completely solved and THANKS to everyone here who took the time to reply and help!!
-
@soonerdave said in OpenVPN server *behind* pfSense firewall - cannot reach Internet:
told me he had to fix the NAT on his box with the new IP it had been assigned.
You wrote above, that nothing was changed in your notwork except the new firewall. If the box has a NAT masquerading rule, it will have an IP stated for this, since it might not have a variable for the interface IP like pfSense does.
You should have mentioned that you have created a new subnet. -
@viragomann I didn't create a new subnet. His box was assigned a new IP from the same subnet that was recreated in my new server setup. If I had maintained the same IP on the new server, I have a sneaking suspicion we'd have had no problem at all.
-
@soonerdave said in OpenVPN server *behind* pfSense firewall - cannot reach Internet:
His box was assigned a new IP from the same subnet that was recreated in my new server setup
From DHCP?
If so you should set a static mapping for his MAC. -
@viragomann That was one of the first things I did when I rebuilt the network (static assignment). It wasnt DHCP, I just assigned it from a new block of addresses I'd reserved for a few devices. It just didn't remotely occur to me there would be dependencies on that IP within that client box. That just goes back to my lack of familiarity with the internals of the OpenVPN server box he is using. Hey, at least I learned something.....