VPN / NAT question



  • Option 1:
    I have 1 computer in the local network connecting to an external VPN for internet access, setup at the computer level.  When its connected, I cannot access that computer from the normal external IP.  Is there a way to set it up so the PC uses internet through the VPN, but on certain ports, it can be accessed externally?

    Option 2:
    I wouldn't mind setting up the VPN at the pfsense level, provided I could still access some of the computers inside the network from the outside…

    Any ideas?



    1. That really depends on the computer and the VPN's configuration - it has nothing to do with pfSense.

    2. You may want to explain what you're trying to achieve, rather than giving us a tiny piece of the picture ;)



  • Alright, for option 2:

    pfsense connects to an external VPN (VyprVPN) and causes all internal computers to use that VPN for all internet traffic on IP (199.99.99.55)
    Internal computer named Server1 with an IP of 192.168.0.5
    How do I access Server1 remotely using VNC from an outside computer?
    Normally you would just go into pfsense > nat > forward port from ISP supplied IP (24.25.26.27) to local IP (192.168.0.5) port 5900
    Since I'm connected to the VPN I can't access any computers using 24.25.26.27.  How do I get around this?



  • You have to ensure that the VPN isn't the default route, or have a proxy on the local LAN for the protocol you're using.

    The simplest solution is not to use a VPN on a host you want to access from outside the LAN.



  • I understand what you are saying but the reason I use a VPN is because my ISP throttles my traffic.  By using a VPN I can bypass that since they don't know what I'm connecting to, so I want it to be the default route.

    However when its enabled, I cannot access any computers that are connected to the VPN (whether they are configured at the computer level or globally at the pfsense level).

    I thought there was a way to configure pfsense to allow access from an outside source even when its connected to a VPN, or maybe I need to create a route for specific external IPs or IP ranges?


  • Rebel Alliance Developer Netgate

    On 2.0, if you let pfSense handle the VPN it shows up as a dynamic gateway, so you can use the normal policy-based routing tricks to do what you want.

    You'd just have the rules on WAN for the port forwards set as usual, and the rule on LAN to let your local systems out would have the gateway set as the VPN.


Locked