Outbound NAT Subnetting for PIA OpenVPN Client



  • I've been reading through all of the documentation available on setting up an OpenVPN Client to send LAN traffic out through Private Internet Access (PIA).  These setup steps worked perfectly: Create CA Certificate, Create an OpenVPN Client, Create an OpenVPN Interface, Configure Outbound NAT rules.

    I am now in phase two of my setup and am working on further subnetting my network for outbound NAT.  Here is what I want to happen:
    192.168.1.0/26 out PIA (Static Assignments)
    192.168.1.64/26 out WAN (Static Assignments)
    192.168.1.128/25 out PIA (DHCP Pool)

    I have tried to make this setup work through Manual NAT settings, and whatever I'm doing wrong keeps knocking the 192.168.1.64/26 subnet offline.  The other two continue to send traffic out PIA as desired, but the .64 subnet only has LAN access.

    Any suggestions on the best means of setting this up?


  • LAYER 8 Netgate

    You do that with firewall rules, not NAT rules. As long as there are NAT rules for both interfaces (WAN and PIA) you are good.  The NAT rules can cover the whole LAN interface subnet. You don't have to worry about what you want routed where. The NAT rules only determine what happens when the routing table has already decided to send traffic out an interface.

    You want policy routing on firewall rules on LAN.

    https://doc.pfsense.org/index.php/What_is_policy_routing

    And you might need this for other local networks:

    https://doc.pfsense.org/index.php/Bypassing_Policy_Routing



  • Great advice, which makes complete sense to me now. Makes me wonder how things were "working" previously, but at least I'm headed in the right direction now.

    Here are my new issues.  I took your advice and setup a number of firewall LAN rules using Aliases for my three subnets. It didn't fully work. The WAN-out traffic couldn't get out. I then tried changing my default gateway to the PIA interface and adding only one firewall rule for the WAN-out subnet, and it still didn't work. Lastly, I tried setting up the WAN-out rule for a single static IP and was still unable to get out of the LAN.

    I've got to be missing something completely obvious with this.


  • LAYER 8 Netgate

    You'll have to post your rules.


Log in to reply