How to NAT a WAN port to a SiteToSite LAN Address

labu73

Hi,

I am stucked with a new OpenVPN setup. I previously had a site to site shared key from office to home office.

Since upgrade to 2.7 and OPenVPN to Site to Site TLS/SSL, i can no more reach my NAT destination.

Server site is the one having a fixed IP and I want to reach a target at 192.168.68.3:8083.

Client site (home office) is on Starlink hence no direct access from WAN.

I have Serve site Lan (192.168.16.0/24) computers reaching any IP on Home Office (192.168.68.0/24).

The NAT for port 8083 on Server WAN to 192.168.16.3:8083 is not working.

I can see the packets on Server WAN but do not find them anywhere after.

Any suggestions?

viragomann

@labu73 said in How to NAT a WAN port to a SiteToSite LAN Address:

Server site is the one having a fixed IP and I want to reach a target at 192.168.68.3:8083.
The NAT for port 8083 on Server WAN to 192.168.16.3:8083 is not working.

I assume, there is a typo in one of the IPs.

I can see the packets on Server WAN but do not find them anywhere after.

So you're forwarding the packets from the server to the client, but you cannot see them on the OpenVPN interface?

labu73

@viragomann

You are right for the typo error.

Here is the NAT rule

Capture d'écran 2024-03-11 112308.png

viragomann

@labu73
On you home pfSense you need to assign an interface to the OpenVPN client instance if you didn't this already.

Then you have to move over the pass rules from the OpenVPN tab to this interface.

There must no pass rule on OpenVPN and no floating pass rule be match the forwarded traffic!

labu73

@viragomann
Do you mean that if the rule is missing on the client, the server will not even try to send on the tunnel?

I do not see the ping on the server tunnel.

Sorry, not an expert.

viragomann

@labu73 said in How to NAT a WAN port to a SiteToSite LAN Address:

I do not see the ping on the server tunnel.

I requested this before, but you didn't respond. So I'm somehow stepping in the dark.

labu73

@viragomann

Interface assigned and rule any is set as shown since beginning

Capture d'écran 2024-03-11 184434.png
No trafic in interface

But trafic on OpenVPN

Capture d'écran 2024-03-11 184300.png

As said 100%% OK from LAN server to LAN client

Hope the light is turning on as I am myself in the dark. Thanks for helping

viragomann

@labu73
Please obey, what I wrote above in bold letters.

labu73

@viragomann You're the boss, it works.

Thanks

For my understanding I do not understand the difference between the 2 rules (pass on OpenVPN and pass on interface) and how this can affect the server NAT.

It's may be to complicated to explain.

viragomann

@labu73
pfSense uses the reply-to tag to route response traffic to public sources back to a non-default gateway. Otherwise it would be routed out on WAN.

The reply-to tag is added by the filter rule, which allows the incoming request packets. So this rule has to be defined on an unique interface.
However, OpenVPN is an interface group including all OpenVPN instances, which are running on pfSense AND rule on interface groups as well as floating rules have precedence over rules on member interfaces. That's why this rule got hits, while the rule in the interface didn't.