NAT Reflection not working on Bridged network segment
- OpenVPN TAP server (called BRIDGEDVPN) which is bridged to my LAN via a bridge (bridge0) which does not have an IP or an interface
- I have added the 'allow DHCP rule' and 'Allow traffic on the brideged interface' rule on the BRIDGEDVPN interface.
- I am connecting in remotely with a laptop over OpenVPN
I used the official documentation:
- My openvpn clients get an IP from DHCP etc...
- My devices on the OpenVPN client can talk to devices on my LAN
- I can get the internet
- I can talk to my router either by IP or by its FQDN
- on my LAN, the devices can access my webserver via its FDQN because I have NAT Reflection on.
- DNS on both segments seem correctly hijacked by my firewall DNS floating rules which are attached to the OpenVPN interface.
- my webserver is fully available from the internet
NAT Reflection is not working
Devices on my OpenVPN client cannot:
- I cannot access my webserver via its FQDN on my LAN network segment
- Tracert gets no response from the pings and therefore no route
What have I tried
Lots of stuff but probably not well :(
I have seen mentioned:
- NAT might not work on these bridged segments but I am not sure if it refers to my bridge type
- The official documentation mentions that using a static route might help
For hosts behind the NAT/routed segment, NAT must occur as traffic exits toward the bridged systems so that the return traffic will come back to the firewall.
For hosts on the bridged segment to reach hosts behind the NAT segment directly, a static route could be used on the bridged hosts or upstream gateway to send the “private” subnet traffic to the IP address of the firewall in the bridged network.
- I tried adding an outbound NAT rule, not sure I did it right.
I have got this bridged network all working accept for the ability to see my webserver via FQDN which is a must.
Does anyone know where I am going wrong?
I can post more information if required
The answer is yes and no.
- No: If you only have 1 public IP address because your OpenVPN will be on the same Public IP as your assets such as a webserver.
- Yes: If you have 2 Public IPs and the assets you are trying to access are not on the same public IP as your OpenVPN server.