Outbound nat on tap / VPN



  • Hello,

    I've some trouble setting up outbound-nat on pfsense 1.2.3-release - can you help me out?
    setup - (relevant) networks:

    • lan: 192.168.40.0/24

    • wan: pppoe, one dynamic ip

    • OpenVPN (tap / layer2) 192.168.150.20/30 - local address (pfsense): 192.168.150.22 - remote address: 192.168.150.21

    rules (to be implemented):

    • lan clients are allowed to access wan (and should be masqueraded)

    • lan clients are allowed to access 192.168.150.21 (remote vpn host)

    Configuration options on the remote VPN hosts are restricted (and cannot be changed):

    • its tap interface is bound to 192.168.150.21/30

    • no routes can be set (by that, setting a route for reaching 192.168.40.0/24 via 192.168.150.22 is impossible)

    Thus all traffic reaching the remote host must have 192.168.150.22 as source-address and pfsense must run network-address-and-port-translation (masquerading to 192.168.150.22) for all packages going out on the tap device coming from 192.168.40.0/24.

    Outbound-nat is configured this way:

    Accessing wan works, icmp-echo from 192.168.150.21 to .22 (and vice-versa), too.
    But somehow, packages coming from 192.168.40.0 are not masqueraded and echos fail (caputure output running on tapvpn)

    15:49:07.694554 IP 192.168.40.197 > 192.168.150.21: ICMP echo request, id 1, seq 149, length 40
    15:49:12.568993 IP 192.168.40.197 > 192.168.150.21: ICMP echo request, id 1, seq 150, length 40
    15:49:17.393671 arp who-has 192.168.40.1 tell 192.168.40.197 (***)
    15:49:17.577939 IP 192.168.40.197 > 192.168.150.21: ICMP echo request, id 1, seq 151, length 40
    15:49:22.574349 IP 192.168.40.197 > 192.168.150.21: ICMP echo request, id 1, seq 152, length 40

    Furthermore, I wonder what (***) is doing here. There is no bridge set up.
    What may be wrong in my setup?

    Thanks in advance,
    Keep smiling
    yanosz



  • In your rule for the VPN you've set a single address.
    This mean that traffic on this interface is only NATed when this rule matches. –> only when you acces the remote end of the tunnel.

    Set the destination to "any" and all traffic leaving via the VPN should be NATed.



  • Hello,

    @GruensFroeschli:

    In your rule for the VPN you've set a single address.
    This mean that traffic on this interface is only NATed when this rule matches. –> only when you acces the remote end of the tunnel.

    Set the destination to "any" and all traffic leaving via the VPN should be NATed.

    Thanks for your reply - but:
    There is just one machine at the remote end of the tunnel, thus: If a packet goes done the tunnel it's meant for the one (and only) remote machine.
    Anyway, I noticed (by accident ;) ) that my settings worked out right after rebooting pfsense. (Maybe natd wasn't restarted, when needed?)

    Keep smiling
    yanosz


Log in to reply