NAT and OpenVPN - SOLVED
-
First off, I apologize for the cross post. I posted this originally in the OpenVPN forum and after trying various things based on feedback, I think this is more of a NAT issue.
I had this working in a simpler configuration under 1.x. Now I've rebuilt my firewall with 2.03 and have dropped another DSL connection in.
So I have two LAN segments - 192.168.1.x and 192.168.2.x. And two WAN connections.
I've configured OpenVPN following the Wizard and I am able to connect to it and reach both internal LAN segments.
What I can't do is hit the Internet once connected. I have OpenVPN configured to funnel all traffic through the VPN (which is what I want).
It resolves DNS just fine. But when I try to go anywhere or even ping an internet address it goes nowhere. I'm running AON and manually added the NAT statement on the WAN interface that OpenVPN is configured on for the VPN pool (192.168.3.x). But still nothing.
I'm assuming I'm missing a basic step. I've poured through the forums and haven't found anything.
Any help would be greatly appreciated.
Thanks,
Joshua
-
You probably want another NAT rule on WAN_OFFICE for 192.168.3.0/24 - if that is your default gateway then the traffic being directed ffrom the OpenVPN client, across the OpenVPN and to the real internet will go out your default gateway (unless you have some other policy routing rule on OpenVPN that directs it out WAN_HOME).
-
Hmmm. WAN_HOME is the default gateway, but I suppose it can't hurt to set the NAT on WAN_OFFICE as well right? I'll give it a try.
-
Strange labeling.
Mine are labeled like LAN outbound.
Openvpn1 Outbound
Openvpn2 OutboundBasicly just make sure that every subnet you want to be able to see the internet is represented.
So, the easy thing to do, go to your LAN rules that were already there and click the +
Then when the new rule pops up, chang the subnet to whatever subnet you are assigning to Openvpn.
Now, that is outbound NAT.Now, in the firewall rules, make sure that you have an entry there on openvpn that looks nearly identical to you default LAN rules. The Important one is pass everything to anywhere. No need for anti lockout rules on the openvpn firewall rule.
But, if you post a pic of all firewall rules, outbound NAT rules and openvpn setup page, this will be done in just a few minutes.
-
Here are the OpenVPN settings and the Firewall Rules and the NAT screenshots as requested.
I know this can't be that complicated given what others do with pfsense. I can only assume like you said there is some simple setting that I have missed.
I really appreciate you checking out the configs and seeing if you can spot my blunder.
Thanks,
Joshua
-
Do you have a WINS server?
-
Try this for a moment. Remove the WINS server IP. No wins server.
Also, remove 192.168.1.1 in the DNS list you will supply to clients.
Try it with only the 8.8.8.8 and 8.8.4.4See how it works.
-
Ok, so I managed to get it fixed. It looks like for some reason WAN_OFFICE got set as the default gateway. I thought WAN_HOME was set as the default. I only had the NAT for the 192.168.3.x (VPN Address Pool) set on the WAN_HOME interface. I had configured OpenVPN to run on the WAN_HOME interface so I figured that was the only place I needed to set the NAT. And I thought WAN_HOME was the default gateway.
So I configured the NAT on both the WAN_HOME interface and WAN_OFFICE. Now it works fine!
Thanks for all the help everyone!
Joshua
-
:-\
-
Your traffic coming in from across the OpenVPN (arriving on WAN_HOME OpenVPN server) and going to the internet is using WAN_OFFICE to get out to the internet. If you are happy with that, then don't mess with it.
I expect you could add a policy-routing rule on OpenVPN - make an alias "Internal-LANs" containing the LAN_HOME and LAN_OFFICE subnets. Then add the rule on OpenVPN, source any, destination !Internal_LANs, and gateway WAN_HOME - that should push that traffic out WAN_HOME instead of WAN_OFFICE. -
I actually just set WAN_HOME as the default gateway so that takes the traffic back out that interface. I have the policy based routing on the LAN's to send them out their respective WAN connections.