Applying NAT rules via command-line
-
Hi!
I'm struggling with OpenVPN and NAT rules on my pfSense box.
Situation:
- LAN: 192.168.1.0/24 (default gw: 192.168.1.1)
- VPN: 192.168.2.0/24
- pfSense (192.168.1.2) is included in the LAN but uses a dedicated gateway
- all other computers in the network are using the default gateway
- OpenVPN connection works but I can only ping the pfSense box
Now after some research, I found out that the problem is that replies from the internal computers go to the default gateway instead of my pfSense box. So the solution is to add a NAT rule that translates all IPs of my VPN network.
The good thing is that I already fixed this, and actually it works using this rule:
nat on vr0 inet from 192.168.2.0/24 to 192.168.1.0/24 -> (vr0) round-robinHowever, as it seems it is not possible to apply the fix via the web GUI. So I followed the procedure described here: http://www.mail-archive.com/discussion@pfsense.com/msg02046.html (not the same problem, but similar solution):
# 1\. Dump the current ruleset into a file pfctl -sn > /var/tmp/tempfile # 2\. Edit the file and add my rule after the last nat rule) #nat on vr0 inet from 192.168.2.0/24 to 192.168.1.0/24 -> (vr0) round-robin # 3\. Import the whole ruleset again pfctl -Nf /var/tmp/tempfileNow since pfSense may reload these rules quite often, I need some better solution to apply my nat rule, which can be automated if possible.
Can anyone give me a pointer on what is the best way to add my rule?
Thanks in advance!
- michael
PS: If I've been searching too far and it is possible to set this via the web GUI, let me know of course :-)
-
If I am understanding your setup correctly, you shouldn't need to do anything to the pfsense box - put a static route on your default gateway for 192.168.2.0/24 pointing at 192.168.1.2 (pfsense's IP?)
-
Oh yes, that will do the trick of course! Did not even think about it, but it's indeed very obvious. :)
Many thanks for your help!