Advice for OpenVPN w/ Outgoing NAT
-
To those of us who have multi-WAN interfaces that are using OpenVPN:
If you are using outbound NAT to map certain subnets or computers/hosts to certain WAN gateways, you need to add an explicit firewall rule on the LAN interface to permit traffic from any source (or certain networks/hosts) on your LAN to the OPVN interface address and the remote network. A default rule "permit all" will NOT work because of the outbound NAT rules.
For instance, in my scenario:
172.16.10.0/24 - Local (Interface) LAN subnet
172.16.20.0/24 - Local (VoIP) LAN subnet
172.16.30.0/24 - Local (Data) LAN subnetEach of these subnets come through ONE interface (the pfSense LAN interface).
172.16.40.0/24 - pfSense OpenVPN interface network
192.168.1.0/24 - Remote OpenVPN network
See the attached image for working firewall rules.
Hope this helps someone. I wish I would have known this before my experience!
-
I couldn't figure out how to edit my post, but I had one more thing to say.
The key to the firewall rules:
- They have to come before your outgoing NAT rules (depicted in the picture).
- You must choose "default" for the gateway, so that pfSense can access its internal route table to know where to forward the traffic. Otherwise, it will head out one of the WAN interfaces.
-
Hello Helix26404,
Afer 2 weeks of forums searchs and configs changing, i find your post and i do the change and all works fine.
Tahnk you very much Helix26404, maybe your post must be introduced to the main pfsense-openvpn tutorials.
HICHAMB