NAT stops working when I enable VPN client



  • Hi folks,

    I've been stuck on a problem now for a few days and have no hair left to pull out :(

    I have NAT set up and it works a treat (yay!)
    I then set up a VPN connection with a firewall rule which sends traffic from my laptop via the VPN by setting the gateway to the VPN. This too works well.

    When this is set though, NAT reflection stops working on any computer sent through the VPN. I cannot (read:don't understand why) get it to work. Other computers however work ok.

    The odd thing though, to my noob mind, is that NAT stops working all together from the outside world.

    I'm lost, I have slowly turned things on and off and tried to work out what is happening but cannot…

    Screenshots of various pages:


  • Rebel Alliance Global Moderator

    How would it be nat reflection if your source would be your vpn IP address?

    Also your lan to lan rule is pointless - never comes into play.  Pfsense has nothing to do with communication between devices on the lan.

    Sniff your traffic on your wan - do you see inbound for your forwarded service? When host going through your vpn connection tries to go there?



  • Hi Johnpoz,

    @johnpoz:

    How would it be nat reflection if your source would be your vpn IP address?

    On reflection, I don't think it is anything to do with reflection. The VPN is connected now and I cannot see any of the servers behind NAT from work. If I disconnect the VPN then it'll work. So, I was wrong about it being NAT reflection.

    @johnpoz:

    Also your lan to lan rule is pointless - never comes into play.  Pfsense has nothing to do with communication between devices on the lan.

    Noted, thanks. Not sure how or where that came from. Will remove it.

    @johnpoz:

    Sniff your traffic on your wan - do you see inbound for your forwarded service? When host going through your vpn connection tries to go there?

    Forgive my ignorance, how can I sniff on the WAN? I've only ever used wireshark on a windows box - not sniffed traffic which is "not mine".

    Seeing as I am at work now and it (NAT) does not seem to be working because the VPN is connected it suggests the traffic is going to the WAN and then getting stuck / lost / dropped. The domain I am going to is resolving to my WAN address.

    Regards,
    Fred.


  • Rebel Alliance Global Moderator

    So the fqdn you use to resolve your actual pfsense wan IP is what - this needs to resolve with the dns your using when your routed out the vpn connection.

    As to sniffing, on pfsense under diagnostics you can sniff any interface on the pfsense box.  Then you can download it and view it in wireshark if you want.



  • the fqdn is [edited].dyndns.org and resolves to 82.7.[edited].[edited] which is what is on my WAN. This resolves to the same IP when the VPN is connected.

    Noted on the sniff - will try that now.



  • Well, to my untrained eye it looks ok?

    [Pic removed]

    I see them coming in on the WAN and going out on the WAN address.



  • Could this post have anything to do with it? https://forum.pfsense.org/index.php?topic=80872.0

    As soon as I have more than one active gateway pfsense seems to ignore the default and send traffic via the VPN. I'm wondering if this is why it is getting lost…