OpenVPN, routed subnet and 1:1 NAT and outbound return path



  • Hi All,

    I have done many searches on how to get this configured correctly but I don't have a definitive answer so I am hoping someone can help me.

    • I have a standard failover pfSense CARP (with /29 on WAN interfaces+ CARP) based cluster at location A.

    • Location B has a single pfSense firewall but will eventually be converted to a cluster

    • There is on OpenVPN tunnel connecting the WAN interface of location B to the CARP IP (/29) of location A.  This works well

    • There are rules in place for OpenVPN at both locations to allow for each locations LAN subnet to reach each other.  This works well.

    Now things get more complex.

    • There is an external /28 that is routed to the location A CARP (/29) address

    • I have created a single VIP other on both members of the CARP cluster using 2 of the /28 IPs.  This is to bypass the CARP subnet requrement

    • I have created some of the /28 as CARP addresses on the WAN interface of location A.  The addresses are correctly copied to the slave firewall

    • Those /28 address have been assigned a 1:1 NAT with addresses on the LAN subnet of location B

    • Rules have been setup at location A to allow traffic to the location B subnet addresses from the Location A WAN interface

    Here is what I happening:

    • When a request is made to a /28 CARP address at location A, the traffic is passed correctly via 1:1 NAT and hits the location B LAN address

    • The return packet gets lost somewhere and the originating machine doesn't get a response

    • tcpdump on the WAN interface of location A shows the request from the external host to one of the /28 CARP addresses

    • tcpdump on the WAN interface of location B shows the request also from the external host to the 1:1 NAT location B LAN address

    • tcpdump on the LAN interface of location B shows the response from the 1:1 NAT location B LAN address to the external host.  This is what I believe to be the problem as I don't think its going back out via the OpenVPN tunnel

    I have tried many combinations things with the same results:

    • Adding push routes on the OpenVPN setup at location A and/or adding routes to the OpenVPN setup at location B

    • Manual outbound NAT to the /28 CARP address or location A LAN gateway

    • Manual outbound NAT to location A LAN gateway

    • Using regular NAT rather than 1:1

    • Other things I may have forgotten

    There is one other clue

    • I have a loadbalanced cluster setup on location A CARP address (/29)

    • This is forwarding  to machines on location B LAN

    • Manual outbound NAT is setup on location B WAN interface to route any outbound traffic from those servers to CARP IP (/29) in location A

    This is working well.  So there is definitely something I am missing regarding the return path.  I have seen various posts about this but the answer is just not very clear for me.



  • Ok this is like pulling teeth.  I think I want to change the strategy here.  Maybe what I should do:

    • Route the external /28 through the VPN link rather than trying to NAT it through

    • Setup the CARP VIPs for that /28 on the Location B firewall instead

    • NAT only from the Location B firewall external to internal interfaces

    Does anyone see an issue with this logically?


Log in to reply