pfSense running only as OpenVPN server NATing traffic out LAN interface

travis.fleming · Apr 13, 2023, 3:00 PM

We have recently setup an HA pair of pfSense firewalls running 2.6.0 community release. We are just leveraging the LAN interface, and these firewalls sit behind a Palo Alto firewall. Very standard OpenVPN server setup, and it's working. However, when I join the VPN, and then access a device on our network via the LAN interface, through the Palo Alto on the other end of that, it's NAT's me out the LAN IP address of the OpenVPN pfsense, and not passing along my client given IP address.

In other words, the LAN IP address of the OpenVPN pfsense is 10.10.10.1, and my openVPN client is getting an IP address of 10.11.2.6. When I access a server within that network or another, It's showing I'm connected from the 10.10.10.1 IP and not the 10.11.2.6 IP. We need it to say 10.11.2.6. We have another OpenVPN pfsense and it works. Comparing the config pages side-by-side they are similar. What am I missing? I know by default it should NOT NAT out.

travis.fleming · Apr 13, 2023, 4:40 PM

Self resolved, went to firewall > NAT and changed it from automatic NAT to manual outbound NAT, with no rules enabled.

johnpoz · Apr 13, 2023, 4:54 PM

@travis-fleming pfsense would only nat out it "wan" interfaces - if you put a gateway on an interface pfsense would consider it a "wan"

travis.fleming · Apr 14, 2023, 2:25 PM

@johnpoz Maybe it would be better to have our WAN interface connected to the network and not the LAN? We are just using the LAN, and I see it was NAT's my OpenVPN traffic out the LAN IP, not the OpenVPN subnet.

viragomann · Apr 14, 2023, 3:45 PM

@travis-fleming
No, pfSense also nat outbound traffic on WAN if there is a gateway stated in the interface settings.

So go to Interface > LAN and check if there is a gateway stated in the IP configuration.
If so and there is no reason to have it, remove it and pfSense will not nat outgoing traffic.