Cant DNAT to ovpn client
-
Hi,
i'm running pfsense on a proxmox vm.
i have succesfully setup an ovpn layer 3 tunnel with a mikrotik router as client.
pfsense can ping all LAN mikrotik clients.
i'm trying to DNAT a wan port to a client on the mikrotik network.
however the connection doesn't go through.
on States i can see the request being forwarded but stuck at state: CLOSED:SYN_SENT
i'm no network expert but it seems that the client isn't responding back.
maybe i'm missing something?
can anyone please point me to the right direction as i have messed up my head the last couple of days with this and i'm out of ideas.
thank you in advance,
Menelaos -
@arty said in Cant DNAT to ovpn client:
i'm no network expert but it seems that the client isn't responding back.
Quick IP basics: each packet carries the source and the destination IP in its header. These are used for the routing.
The destination IP is rewritten by the port forwarding rule to a remote sites LAN IP. However, the source is still an IP in the internet.
So if the client responses it sends the packet back to what it see in the source header. This packet might follow the routing table and will hence be routed out to the WAN gateway on the Mikrotik. >> Asymmetric Routing. The response packet should go back to OPNsense actually.
Asymmetric routing lead stateful firewalls to drop the packets.OPNsense has a function to route the response back on the origin incoming interface (reply-to). I don't know, if this can be enabled on Mikrotik as well.
If there is no possibility you can only masquerade the forwarded traffic to the VPN IP with an outbound NAT rule (S-NAT) on OPNsense to get this work. This means OPNsense replaces the source IP in the packets with its VPN IP. The Mikrotik has a proper route to this and hence will send responses back to OPNsense.
-
@viragomann Thank you very much. you helped me understand very good whats going on.
Moreover i managed to to make it wotk bu adding an snat outbound rule to the openvpn interface. thanks again.