Outbound nat on tap / VPN
-
Hello,
I've some trouble setting up outbound-nat on pfsense 1.2.3-release - can you help me out?
setup - (relevant) networks:-
lan: 192.168.40.0/24
-
wan: pppoe, one dynamic ip
-
OpenVPN (tap / layer2) 192.168.150.20/30 - local address (pfsense): 192.168.150.22 - remote address: 192.168.150.21
rules (to be implemented):
-
lan clients are allowed to access wan (and should be masqueraded)
-
lan clients are allowed to access 192.168.150.21 (remote vpn host)
Configuration options on the remote VPN hosts are restricted (and cannot be changed):
-
its tap interface is bound to 192.168.150.21/30
-
no routes can be set (by that, setting a route for reaching 192.168.40.0/24 via 192.168.150.22 is impossible)
Thus all traffic reaching the remote host must have 192.168.150.22 as source-address and pfsense must run network-address-and-port-translation (masquerading to 192.168.150.22) for all packages going out on the tap device coming from 192.168.40.0/24.
Outbound-nat is configured this way:
Accessing wan works, icmp-echo from 192.168.150.21 to .22 (and vice-versa), too.
But somehow, packages coming from 192.168.40.0 are not masqueraded and echos fail (caputure output running on tapvpn)15:49:07.694554 IP 192.168.40.197 > 192.168.150.21: ICMP echo request, id 1, seq 149, length 40
15:49:12.568993 IP 192.168.40.197 > 192.168.150.21: ICMP echo request, id 1, seq 150, length 40
15:49:17.393671 arp who-has 192.168.40.1 tell 192.168.40.197 (***)
15:49:17.577939 IP 192.168.40.197 > 192.168.150.21: ICMP echo request, id 1, seq 151, length 40
15:49:22.574349 IP 192.168.40.197 > 192.168.150.21: ICMP echo request, id 1, seq 152, length 40Furthermore, I wonder what (***) is doing here. There is no bridge set up.
What may be wrong in my setup?Thanks in advance,
Keep smiling
yanosz -
-
In your rule for the VPN you've set a single address.
This mean that traffic on this interface is only NATed when this rule matches. –> only when you acces the remote end of the tunnel.Set the destination to "any" and all traffic leaving via the VPN should be NATed.
-
Hello,
In your rule for the VPN you've set a single address.
This mean that traffic on this interface is only NATed when this rule matches. –> only when you acces the remote end of the tunnel.Set the destination to "any" and all traffic leaving via the VPN should be NATed.
Thanks for your reply - but:
There is just one machine at the remote end of the tunnel, thus: If a packet goes done the tunnel it's meant for the one (and only) remote machine.
Anyway, I noticed (by accident ;) ) that my settings worked out right after rebooting pfsense. (Maybe natd wasn't restarted, when needed?)Keep smiling
yanosz