Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Trying to understand NAT with VPN

    Scheduled Pinned Locked Moved NAT
    6 Posts 2 Posters 3.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      mpboden
      last edited by

      I setup pfSense (2.1-RELEASE (amd64)) a couple weeks back and configured the firewall as a VPN client to Private Internet Access (PIA). I did this so that all clients on my LAN are routed through the VPN. I pretty much followed this tutorial and everything is working as expected: http://www.komodosteve.com/archives/232

      Now here's the thing…although it's working, I don't understand some of the settings. Specifically with the need to change "Automatic outbound NAT" to "Manual Outbound NAT" (AON). Let me explain...

      When I have "Automatic outbound NAT" selected, the LAN traffic is correctly routed to the VPN tunnel, but it's not NAT'd to my VPN IP address as it enters the VPN tunnel. Furthermore, the VPN server is apparently not configured to NAT my LAN subnet, because it's unaware of what subnet I'm using. This makes sense and is the reason why I don't have internet access through the VPN.

      To fix, I have to NAT on my end, and this is accomplished by changing "Automatic outbound NAT" to "Manual Outbound NAT" (AON). Once this is done, I have internet access through the VPN.

      But I still want to know why I have to make this change. Why isn't my LAN automatically NAT'd when set to automatic mode?

      With "Automatic outbound NAT" selected, these are the automatic mappings created as seen in /tmp/rules.debug:

      
# Subnets to NAT 
tonatsubnets	= "{ 192.168.1.0/24 127.0.0.0/8 0.0.0.0  }"
nat on $WAN  from $tonatsubnets port 500 to any port 500 -> xxx.xxx.xxx.xxx/32 port 500  
nat on $WAN  from $tonatsubnets to any -> xxx.xxx.xxx.xxx/32 port 1024:65535

      After changing "Automatic outbound NAT" to "Manual Outbound NAT" (AON), these are the automatic mappings created as seen in /tmp/rules.debug:

      # Outbound NAT rules
nat on $WAN  from 192.168.1.0/24 to any port 500 -> xxx.xxx.xxx.xxx/32  static-port
nat on $WAN  from 192.168.1.0/24 to any -> xxx.xxx.xxx.xxx/32 port 1024:65535  
nat on $WAN  from 127.0.0.0/8 to any -> xxx.xxx.xxx.xxx/32 port 1024:65535  
nat on $PIAVPN  from 192.168.1.0/24 to any port 500 -> 10.184.1.6/32  static-port
nat on $PIAVPN  from 192.168.1.0/24 to any -> 10.184.1.6/32 port 1024:65535  
nat on $PIAVPN  from 127.0.0.0/8 to any -> 10.184.1.6/32 port 1024:65535 

      Can anyone explain this? Why is it that the necessary NAT mappings for my VPN interface are automatically created when I select "Manual Outbound NAT" (AON) but they're not automatically created when in "Automatic outbound NAT" mode? Doesn't that seem contradictive? I don't understand the logic. As soon as I switch to "Manual outbound NAT" the mappings are automatically created for my VPN interface. I'm not defining those manually myself. So shouldn't they be automatically created in automatic mode as well?

      1 Reply Last reply Reply Quote 0
      • P Offline
        phil.davis
        last edited by

        That sounds like a timing bug. I am guessing that when the system first boots, the OpenVPN is not yet established, so there is no WAN-like link yet for it, and so no NAT rules to build. Then when it comes up, it gets a gateway etc, but (for whatever reason) does not get the Automatic NAT ruleset rebuilt.
        It sounds reproducible by you. And sounds like a home system. So I would first try 2.1.1-prerelease from snapshots.pfsense.org - there have been so many "little" things fixed up in that I would try it, and then report back if the problem is fixed or not. If it is not fixed, then I think it would be worth finding the point in the code where a NAT rule rebuild needs to be triggered.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • M Offline
          mpboden
          last edited by

          Thanks, Phil. I'll try your suggestion and get back to you.

          Mike

          1 Reply Last reply Reply Quote 0
          • M Offline
            mpboden
            last edited by

            Hi Phil. I finally spent some time looking into this again, and I'm sorry to say that 2.1.1-prerelease reproduces the same symptoms.

            Additionally, I thought I'd add another observation that exists on both 2.1-release and 2.1.1-prerelease. You indicated that this might be a timing bug when the system first boots. If this is indeed a bug, then I think it may extend a bit further. Even after the system is booted, the NAT ruleset isn't rebuilt correctly for the VPN interface under either of the following conditions:

            • If the OpenVPN client is restarted while in "Automatic outbound NAT" mode

            • When outbound NAT is switched from "Manual Outbound NAT" to "Automatic outbound NAT"

            I might be wrong, but my logic dictates that the ruleset should be rebuilt (or at least evaluated) in both of these situations.

            So how do we move on from here?

            Thank you,

            Mike

            1 Reply Last reply Reply Quote 0
            • P Offline
              phil.davis
              last edited by

              I had a look at the code, and it is internally inconsistent. Automatic NAT does not generate rules out OpenVPN interfaces with gateways. But when you press the "Manual" button and "Save", the code there does generate manual rules for you, as you have seen.
              In the code coming for 2.2 some of this stuff has been re-engineered and it looks consistent now - but it does not generate NAT rules out OpenVPN at all - which is not quite what you may be hoping for!
              I raised a bug in Redmine - https://redmine.pfsense.org/issues/3528
              We will see how the devs think it should be engineered.

              As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
              If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

              1 Reply Last reply Reply Quote 0
              • M Offline
                mpboden
                last edited by

                Phil,

                In a way, I have to say that this is excellent news, at least from the standpoint that it explains the situation. And honestly, my intention wasn't for NAT rules to be automatically generated. I really just wanted to understand why it automatically made the rules in manual mode and not in automatic mode. In the end, if the rules have to manually entered, then so be it. At least it would be consistent.

                So thank you again for your time and for starting a bug report. I'll keep an eye on the progress.

                Best regards,

                Mike

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.