Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT Rule: OPT1 (OpenVPN) => LAN

    Scheduled Pinned Locked Moved NAT
    3 Posts 2 Posters 7.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      silver
      last edited by

      Hi,

      I have following interfaces:

      • WAN
      • LAN
      • OPT1

      The WAN interface is only used to establish a VPN connection to a VPN Gateway on the OPT1 interface. Afterwards all outbound traffic from LAN network is NATted to the OPT1 interface. This works as expected and everything is fine so far.

      The only problem I have now is to NAT inbound traffic from OPT1 (10.8.0.0) to LAN (192.168.1.0).

      If I create a firewall rule to allow all OPT1 inbound traffic, I can connect to the pfsense WebInterface, e.g. => working
      telnet 10.8.0.6 => Port 80,443 is working. Therefore it's possible to connect from the openvpn network to the pfsense OPT1 interface.
      But if I create a NAT rule to forward MS RDP (3389) inbound traffic to a client (LAN, 192.168.1.100:3389) it doesn't work.
      telnet 10.8.0.6 3389 => forward to 192.168.1.100:3389 is not working



      It simply looks like it's not possible for pfsense to forward the request from OPT1 interface to the LAN client. Is there something I need to add in addition or I completely forgot about? I have already searched the forum and googled a lot but didn't find a solution so far  :(

      Is there someone who already have set up something similar and could help?

      Thanks in advance!  :)

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        This would probably not work until pfSense 2.1, since the OpenVPN interface wouldn't have "reply-to" on its rules, the return traffic is probably trying to go out WAN and not back the way you expect.

        On 2.1 it should work so long as the VPN interface is assigned, which it would be if you already have it set to be OPT1.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • S
          silver
          last edited by

          @jimp

          Thanks for your answer! Although it wasn't the solution but I could rule out that it was not a bug or limitation of the current release as I've installed version 2.1-BETA1 x86 in parallel and set it up in the same way.

          The advanced option you've mentioned is available in the current 2.0.2 Release x86, too. But as I've already mentioned it didn't help.

          There were 2 problems in my setup.

          One problem was with the OPT1 interface because the flag "Block private networks" was set and once it's set all the firewall rules that are created on a private IP (OpenVPN 10.x.x.x) are simply getting ignored by pfSense. That's a little bit confusing because I'd expect a different behaviour or at least a warning.

          The second problem was easier as there was a personal firewall (silly, I know ;) ) that was forbidding the connection from a non-LAN IP to local services.

          Now after many hours of headache it's working like a charm and I like pfSense again  8)

          So in general with pfSense and my setup you have to be careful to not activate the "Block private networks" flag on the OPT1 interface and to switch the outbound NAT Mode to manual and create NAT rules on interface OPT1. The easiest way to do this is to simply copy / modify the existing LAN interface rules.

          In addition you need to copy/create the LAN -> OPT1 "allow LAN to any" rule. That's all.

          And as a hint it's better not to get confused by other guides on the internet where people say that you need to create OpenVPN and WAN rules, e.g. because that's simply not needed if you're using an optional interface (OPT1) - at least that was my experience.

          I've added some screenshots of the required rules:

          OPT1 IF:

          Outbound NAT:

          Firewall LAN Rule:

          Firewall OPT1 Rule:

          Firewall NAT (Port) Forward Rule that belongs to the OPT1 FW rule:

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.