pfSense running only as OpenVPN server NATing traffic out LAN interface

travis.fleming

We have recently setup an HA pair of pfSense firewalls running 2.6.0 community release. We are just leveraging the LAN interface, and these firewalls sit behind a Palo Alto firewall. Very standard OpenVPN server setup, and it's working. However, when I join the VPN, and then access a device on our network via the LAN interface, through the Palo Alto on the other end of that, it's NAT's me out the LAN IP address of the OpenVPN pfsense, and not passing along my client given IP address.

In other words, the LAN IP address of the OpenVPN pfsense is 10.10.10.1, and my openVPN client is getting an IP address of 10.11.2.6. When I access a server within that network or another, It's showing I'm connected from the 10.10.10.1 IP and not the 10.11.2.6 IP. We need it to say 10.11.2.6. We have another OpenVPN pfsense and it works. Comparing the config pages side-by-side they are similar. What am I missing? I know by default it should NOT NAT out.

travis.fleming

Self resolved, went to firewall > NAT and changed it from automatic NAT to manual outbound NAT, with no rules enabled.

johnpoz

@travis-fleming pfsense would only nat out it "wan" interfaces - if you put a gateway on an interface pfsense would consider it a "wan"

travis.fleming

@johnpoz Maybe it would be better to have our WAN interface connected to the network and not the LAN? We are just using the LAN, and I see it was NAT's my OpenVPN traffic out the LAN IP, not the OpenVPN subnet.

viragomann

@travis-fleming
No, pfSense also nat outbound traffic on WAN if there is a gateway stated in the interface settings.

So go to Interface > LAN and check if there is a gateway stated in the IP configuration.
If so and there is no reason to have it, remove it and pfSense will not nat outgoing traffic.