Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN as a gateway with NAT

    Scheduled Pinned Locked Moved Routing and Multi WAN
    12 Posts 2 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      toyotahead
      last edited by

      I have setup an openvpn client as per the tutorial here: https://forum.pfsense.org/index.php?topic=29944.0 It is up and running fine and I can sucsuessfully rule based direct specific LAN based traffic out this path.

      However inbound requests timeout and do not show up in the firewall log. The associated NAT and FIREWALL rules are in place to allow this traffic and ticked to log. Any thoughts on what may be happening that is impeding the inbound requests from NAT'ing?

      According to the firewall logs there has been absolutely no inbound traffic registered on the interface associated to this VPN

      Oh and if it matters…. incoming port based NAT works on the regular WAN (isp direct connection) flawlessly.

      Oh and by viewing the packet sniffer it would appear that the incoming requests are getting to the pfsense end of the vpn. But at that point there is no forwarding of them to the private ip, nor is there any entry in the firewall log for the same interface.

      Anyone able to help?

      2.2.3-RELEASE (amd64)
      Intel(R) Atom(TM) CPU C2758 @ 2.40GHz
      8 CPUs: 1 package(s) x 8 core(s)
      GOAL.jpg_thumb
      GOAL.jpg

      1 Reply Last reply Reply Quote 0
      • N
        n3by
        last edited by

        if you use traffic limiter then it will break NAT … it is bug and not sure when will be fixed.

        1 Reply Last reply Reply Quote 0
        • T
          toyotahead
          last edited by

          I had a limiter in use…  Deleted and removed it. Still no go....

          1 Reply Last reply Reply Quote 0
          • N
            n3by
            last edited by

            Try to force all client traffic to ovpn to see if it work to internet, reboot pfsense after settings change ovpn, if not work then firewall rules for ovpn need to be rebuild/checks.

            1 Reply Last reply Reply Quote 0
            • T
              toyotahead
              last edited by

              Ok.

              I did route-nopull for the vpn originally because I do not want all traffic over the VPN. But for test purposes I can do that…

              And how would I rebuild/checks the firewall rules for the ovpn?

              Thanks!!!

              1 Reply Last reply Reply Quote 0
              • N
                n3by
                last edited by

                sorry, since you had this working on 2.2.2 and after update to 2.2.3 it is not working it's not an easy debug … from my opinion you have 2 choices: revert back to 2.2.2 or lose a day and try to reconfigure everything from zero on a clean install 2.2.3 and maybe you will find the problem for your config .... and another bug.

                1 Reply Last reply Reply Quote 0
                • T
                  toyotahead
                  last edited by

                  I understand…

                  FYI, this is a clean install of 2.2.3. When I upgraded from 2.x (when all worked fine) I assumed there was a difference in the config between versions. So like you suggest, I went with a clean 2.2.3 install and have been reconfiguring each service. This is the only one thus far that I have yet to get to work again.

                  That said, do you believe I should still restart from scratch?

                  1 Reply Last reply Reply Quote 0
                  • N
                    n3by
                    last edited by

                    Try to get a confirmation from somebody that use the same ovpn server / config that all is OK so you did not miss something on config and you do not use limiter traffic in this version.
                    If you use snort/suricata, of pfblockeer, squid… try to config/enable only after you setup VPN and is working.

                    I am using ovpn site to site + ovpn server for clients in this version and all is OK without traffic limiter, with traffic limiter nothing that need NAT is working for me.

                    1 Reply Last reply Reply Quote 0
                    • T
                      toyotahead
                      last edited by

                      cool well thanks for your input and guidance n3by! I will poke around a bit more and see if I can narrow down what may be interfering. :)

                      1 Reply Last reply Reply Quote 0
                      • T
                        toyotahead
                        last edited by

                        How would I rebuild/checks the firewall rules for the ovpn?

                        1 Reply Last reply Reply Quote 0
                        • T
                          toyotahead
                          last edited by

                          Well that solved it. I did a format and clean install 3 times. The first 2 reinstalls progressively got worse. Services wouldnt start, qwarky things happened…  I was about to give up and gave it one last clean install. And VIOLLA!  Everything is working as per the norm.

                          Now this realization really makes me question and wonder why..... Is it a corrupted config file??? A dying SSD drive? (its bran new 2months old) like what else could cause such bizarre results???

                          1 Reply Last reply Reply Quote 0
                          • T
                            toyotahead
                            last edited by

                            @n3by:

                            if you use traffic limiter then it will break NAT … it is bug and not sure when will be fixed.

                            And when you say the limiter breaks NAT… Do you mean just the limiter or all traffic shaping?

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.