Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Advice for OpenVPN w/ Outgoing NAT

    OpenVPN
    2
    3
    4886
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      Helix26404
      last edited by

      To those of us who have multi-WAN interfaces that are using OpenVPN:

      If you are using outbound NAT to map certain subnets or computers/hosts to certain WAN gateways, you need to add an explicit firewall rule on the LAN interface to permit traffic from any source (or certain networks/hosts) on your LAN to the OPVN interface address and the remote network. A default rule "permit all" will NOT work because of the outbound NAT rules.

      For instance, in my scenario:

      172.16.10.0/24 - Local (Interface) LAN subnet
      172.16.20.0/24 - Local (VoIP) LAN subnet
      172.16.30.0/24 - Local (Data) LAN subnet

      Each of these subnets come through ONE interface (the pfSense LAN interface).

      172.16.40.0/24 - pfSense OpenVPN interface network

      192.168.1.0/24 - Remote OpenVPN network

      See the attached image for working firewall rules.

      Hope this helps someone. I wish I would have known this before my experience!


      1 Reply Last reply Reply Quote 0
      • H
        Helix26404
        last edited by

        I couldn't figure out how to edit my post, but I had one more thing to say.

        The key to the firewall rules:

        • They have to come before your outgoing NAT rules (depicted in the picture).
        • You must choose "default" for the gateway, so that pfSense can access its internal route table to know where to forward the traffic. Otherwise, it will head out one of the WAN interfaces.
        1 Reply Last reply Reply Quote 0
        • H
          HICHAMB
          last edited by

          Hello Helix26404,

          Afer 2 weeks of forums searchs and configs changing, i find your post and i do the change and all works fine.

          Tahnk you very much Helix26404, maybe your post must be introduced to the main pfsense-openvpn tutorials.

          HICHAMB

          1 Reply Last reply Reply Quote 0
          • First post
            Last post