Source NAT Help needed!
-
Hello!
first of all, pfsense is a great project, reliable fw and has really a lot of useful features, especially the ha-features. Thx to all who worked on it!
now my problem: (i spent the last 2 days in searching for a solution in this forum and also the wiki, etc.)
i would like to add a specific source nat rule for traffic originating from tun0 interface (like it is possible in the "outbound nat"-webinterface-page to do for LAN and WAN interfaces). Openvpn client users should get natted to anoter local (LAN) address, when they try to access a "pushed remote network" through an IPsec-Tunnel. (which avoids configuring a fully routed network through the tunnels)Here an example:
pfsense-lan=172.30.0.0/24 (if=carp2)
pfsense-openvpnrange=127.30.1.0/24 (if=tun0)
remote system, connected via IPsec-tunnel (cisco-asa)=172.29.0/24the route of the remote system is pushed to the client and i can also see the packets arriving there but they still have their original openvpn ip source and cannont find their way back.
what i found out that it is possible to configure the tun0 interface so that it shows up in the "outbound nat" configuration page. but configuring this, the openvpn users have neither connection to the LAN nor to the remote net.
another possibility may be to insert a nat-rule manually but unlikely i'm not very used to the bsd firewall administration with pfctl.
it must be something like:nat on tun0 inet from 127.30.1.0/24 to 127.29.0.0/24 -> 172.30.0.100 port 1024:65535
or
nat on tun0 inet from 127.30.1.0/24 to 127.29.0.0/24 -> (carp2) round-robin
(what does not work at the moment)can anybody help me with this? (figure out how to address the ipsec-interface in such a nat rule or even better how to configure it in the webinterface!?)
i know that such a source nat is working on cisco, phion, astaro or even endian!we use 2 pfsense 1.2.3 boxes as a failover-cluster
THX a lot!
-
First, in the custom options for OpenVPN, assign it a specific interface:
dev tun50;
Then after saving, go to Interfaces > (assign) and assign that tun50 as an interface
Go to Interfaces > <name of="" the="" interface="" you="" just="" made="">, enable it, and enter "none" for the IP
Then you can use it for NAT and other purposes.
More info on filtering of such trafffic can be found here: http://doc.pfsense.org/index.php/OpenVPN_Traffic_Filtering_on_1.2.3</name>
-
Thank you very much for the fast and precise answer!
i'm gonna try it on monday..have a nice weekend!
-
Hello again!
today i tried this but it still doesn't work.
i did exactly follow the described actions in "OpenVPN Traffic Filtering on 1.2.3"
1. hardwire the openvpn interface as "tun50"
2. disable Automatic Rules in System - Advanced
3. Assigned and configured open Vpn interface with ip "none"
4. placed a "any to any - allow" rule in the openvpninterface-tab of fw-rules
5. Created a virtual IP 172.30.0.100 on the "LAN" inteface (to be used as nat- Source Address)
6. created an outbound NAT rule like that:
'nat on tun50 inet from 172.30.1.0/24 to 172.29.0.0/24 -> 172.30.0.100 port 1024:65535'
(from openvpn to remote-net -> nat-address)i may ping and get answers by pinging into the LAN network (172.30.0.0), but i still see the Open-VPN Packets being routed through the IPSec Tunnel having their original Source-Address and get no answers from the remote net.
somehow the outbound NAT Rule is not applied to the Packets originated from the OpenVPN Client. -
NAT will only work on the portion of that which goes to LAN. NAT on IPsec doesn't work (though I think it might on 2.0)
-
is there no way to do that, not even by manually editing the NAT-Table with pfctl in version 1.2.3?
-
I have never heard of it working, even with any kind of manual hacking, on 1.2.x