• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

1:1 NAT over OpenVPN with gateway change -> not working

Scheduled Pinned Locked Moved NAT
3 Posts 2 Posters 1.5k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • A
    alie2n
    last edited by Dec 16, 2014, 4:46 PM Dec 16, 2014, 9:59 AM

    Hi,
    I have two pfsense boxes running that are connected with an OpenVPN tunnel (10.0.20.0/24). pfSense-1 has a /24 of official IP adresses and I'd like to make some lan servers behind pfSene-2 available via public ip adresses.
    I thought that I might be able to do it like this:

    • have a 1:1 NAT entry on pfsense-1 pointing to the lan adress of the server in the lan of pfsense-2
    • on pfsense-2 create a firewall rule with gateway changing for the server ip adress on the lan interface with the gateway pointing to the openvpn tunnel ip of pfsense-1
    • perhaps tune the outgoing nat rules on pfsense-1

    For this I had to assign an interface on pfsense-2 to the OpenVPN client instance in order to have a gateway to select for the firewall rule.

    Now to the problems I have…

    This above mentioned construct does not work as expected. The ip packets are nated correctly to the server ip adress on pfsense-1 and are transmitted via the OpenVPN tunnel to the server. The server responds and the response packets are received by pfsense-2.
    But pfsense-2 does not put the packets back onto the OpenVPN tunnel and instead puts them unnated to the wan-1 interface. And that I don't really understand.

    Here the ip addresses of the setup:

    • pfsense-1:

    • WAN IP: 83.135.8.14

    • 1:1 NAT IP: 189.174.231.18

    • LAN IP: 192.168.223.254/24

    • OpenVPN IP: 10.0.24.1/24

    • pfsense-2:

    • WAN IP-1: 63.91.33.207

    • WAN IP-2: 214.179.135.86

    • 1:1 NAT IP: 189.174.231.18

    • LAN IP: 192.168.14.1/24

    • OpenVPN IP: 10.0.24.6/24

    • server:

    • LAN IP: 192.168.14.11

    As far as I know until now it has something todo with the state tracking. As packets generated from the lan server are sent out correctly. But still after trying a lot of different rules I cannot get answer packets to leave via the openvpn interface. The answer packets leave pfsense-2 via pppoe2 (wan-1) which is the default gw without being nated…

    pfsense-openvpn-pfsense.jpg
    pfsense-openvpn-pfsense.jpg_thumb

    1 Reply Last reply Reply Quote 0
    • A
      alie2n
      last edited by Jan 9, 2015, 10:53 AM

      Bump. Has no one an idea what is going on here?

      1 Reply Last reply Reply Quote 0
      • M
        Moondew
        last edited by Jan 10, 2015, 8:57 PM

        Hi, I have had your example working with an IPsec tunnel and with a GRE tunnel.
        I too had an issue with state tracking, although not quite in the way you described.

        For me upgrading both ends to  2.2-RC (i386) built on Fri Jan 09 09:52:49 CST 2015 resolved my issue, perhaps it will help you too ?

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
          This community forum collects and processes your personal information.
          consent.not_received