Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT stops working when I enable VPN client

    Scheduled Pinned Locked Moved NAT
    7 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      FarmerB3d
      last edited by

      Hi folks,

      I've been stuck on a problem now for a few days and have no hair left to pull out :(

      I have NAT set up and it works a treat (yay!)
      I then set up a VPN connection with a firewall rule which sends traffic from my laptop via the VPN by setting the gateway to the VPN. This too works well.

      When this is set though, NAT reflection stops working on any computer sent through the VPN. I cannot (read:don't understand why) get it to work. Other computers however work ok.

      The odd thing though, to my noob mind, is that NAT stops working all together from the outside world.

      I'm lost, I have slowly turned things on and off and tried to work out what is happening but cannot…

      Screenshots of various pages:

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        How would it be nat reflection if your source would be your vpn IP address?

        Also your lan to lan rule is pointless - never comes into play.  Pfsense has nothing to do with communication between devices on the lan.

        Sniff your traffic on your wan - do you see inbound for your forwarded service? When host going through your vpn connection tries to go there?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • F
          FarmerB3d
          last edited by

          Hi Johnpoz,

          @johnpoz:

          How would it be nat reflection if your source would be your vpn IP address?

          On reflection, I don't think it is anything to do with reflection. The VPN is connected now and I cannot see any of the servers behind NAT from work. If I disconnect the VPN then it'll work. So, I was wrong about it being NAT reflection.

          @johnpoz:

          Also your lan to lan rule is pointless - never comes into play.  Pfsense has nothing to do with communication between devices on the lan.

          Noted, thanks. Not sure how or where that came from. Will remove it.

          @johnpoz:

          Sniff your traffic on your wan - do you see inbound for your forwarded service? When host going through your vpn connection tries to go there?

          Forgive my ignorance, how can I sniff on the WAN? I've only ever used wireshark on a windows box - not sniffed traffic which is "not mine".

          Seeing as I am at work now and it (NAT) does not seem to be working because the VPN is connected it suggests the traffic is going to the WAN and then getting stuck / lost / dropped. The domain I am going to is resolving to my WAN address.

          Regards,
          Fred.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            So the fqdn you use to resolve your actual pfsense wan IP is what - this needs to resolve with the dns your using when your routed out the vpn connection.

            As to sniffing, on pfsense under diagnostics you can sniff any interface on the pfsense box.  Then you can download it and view it in wireshark if you want.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • F
              FarmerB3d
              last edited by

              the fqdn is [edited].dyndns.org and resolves to 82.7.[edited].[edited] which is what is on my WAN. This resolves to the same IP when the VPN is connected.

              Noted on the sniff - will try that now.

              1 Reply Last reply Reply Quote 0
              • F
                FarmerB3d
                last edited by

                Well, to my untrained eye it looks ok?

                [Pic removed]

                I see them coming in on the WAN and going out on the WAN address.

                1 Reply Last reply Reply Quote 0
                • F
                  FarmerB3d
                  last edited by

                  Could this post have anything to do with it? https://forum.pfsense.org/index.php?topic=80872.0

                  As soon as I have more than one active gateway pfsense seems to ignore the default and send traffic via the VPN. I'm wondering if this is why it is getting lost…

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.