NAT Rule: OPT1 (OpenVPN) => LAN

  • Hi,

    I have following interfaces:

    • WAN
    • LAN
    • OPT1

    The WAN interface is only used to establish a VPN connection to a VPN Gateway on the OPT1 interface. Afterwards all outbound traffic from LAN network is NATted to the OPT1 interface. This works as expected and everything is fine so far.

    The only problem I have now is to NAT inbound traffic from OPT1 ( to LAN (

    If I create a firewall rule to allow all OPT1 inbound traffic, I can connect to the pfsense WebInterface, e.g. => working
    telnet => Port 80,443 is working. Therefore it's possible to connect from the openvpn network to the pfsense OPT1 interface.
    But if I create a NAT rule to forward MS RDP (3389) inbound traffic to a client (LAN, it doesn't work.
    telnet 3389 => forward to is not working

    It simply looks like it's not possible for pfsense to forward the request from OPT1 interface to the LAN client. Is there something I need to add in addition or I completely forgot about? I have already searched the forum and googled a lot but didn't find a solution so far  :(

    Is there someone who already have set up something similar and could help?

    Thanks in advance!  :)

  • Rebel Alliance Developer Netgate

    This would probably not work until pfSense 2.1, since the OpenVPN interface wouldn't have "reply-to" on its rules, the return traffic is probably trying to go out WAN and not back the way you expect.

    On 2.1 it should work so long as the VPN interface is assigned, which it would be if you already have it set to be OPT1.

  • @jimp

    Thanks for your answer! Although it wasn't the solution but I could rule out that it was not a bug or limitation of the current release as I've installed version 2.1-BETA1 x86 in parallel and set it up in the same way.

    The advanced option you've mentioned is available in the current 2.0.2 Release x86, too. But as I've already mentioned it didn't help.

    There were 2 problems in my setup.

    One problem was with the OPT1 interface because the flag "Block private networks" was set and once it's set all the firewall rules that are created on a private IP (OpenVPN 10.x.x.x) are simply getting ignored by pfSense. That's a little bit confusing because I'd expect a different behaviour or at least a warning.

    The second problem was easier as there was a personal firewall (silly, I know ;) ) that was forbidding the connection from a non-LAN IP to local services.

    Now after many hours of headache it's working like a charm and I like pfSense again  8)

    So in general with pfSense and my setup you have to be careful to not activate the "Block private networks" flag on the OPT1 interface and to switch the outbound NAT Mode to manual and create NAT rules on interface OPT1. The easiest way to do this is to simply copy / modify the existing LAN interface rules.

    In addition you need to copy/create the LAN -> OPT1 "allow LAN to any" rule. That's all.

    And as a hint it's better not to get confused by other guides on the internet where people say that you need to create OpenVPN and WAN rules, e.g. because that's simply not needed if you're using an optional interface (OPT1) - at least that was my experience.

    I've added some screenshots of the required rules:

    OPT1 IF:

    Outbound NAT:

    Firewall LAN Rule:

    Firewall OPT1 Rule:

    Firewall NAT (Port) Forward Rule that belongs to the OPT1 FW rule: