Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Outbound NAT Subnetting for PIA OpenVPN Client

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 2 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      ryguymcs
      last edited by

      I've been reading through all of the documentation available on setting up an OpenVPN Client to send LAN traffic out through Private Internet Access (PIA).  These setup steps worked perfectly: Create CA Certificate, Create an OpenVPN Client, Create an OpenVPN Interface, Configure Outbound NAT rules.

      I am now in phase two of my setup and am working on further subnetting my network for outbound NAT.  Here is what I want to happen:
      192.168.1.0/26 out PIA (Static Assignments)
      192.168.1.64/26 out WAN (Static Assignments)
      192.168.1.128/25 out PIA (DHCP Pool)

      I have tried to make this setup work through Manual NAT settings, and whatever I'm doing wrong keeps knocking the 192.168.1.64/26 subnet offline.  The other two continue to send traffic out PIA as desired, but the .64 subnet only has LAN access.

      Any suggestions on the best means of setting this up?

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        You do that with firewall rules, not NAT rules. As long as there are NAT rules for both interfaces (WAN and PIA) you are good.  The NAT rules can cover the whole LAN interface subnet. You don't have to worry about what you want routed where. The NAT rules only determine what happens when the routing table has already decided to send traffic out an interface.

        You want policy routing on firewall rules on LAN.

        https://doc.pfsense.org/index.php/What_is_policy_routing

        And you might need this for other local networks:

        https://doc.pfsense.org/index.php/Bypassing_Policy_Routing

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • R
          ryguymcs
          last edited by

          Great advice, which makes complete sense to me now. Makes me wonder how things were "working" previously, but at least I'm headed in the right direction now.

          Here are my new issues.  I took your advice and setup a number of firewall LAN rules using Aliases for my three subnets. It didn't fully work. The WAN-out traffic couldn't get out. I then tried changing my default gateway to the PIA interface and adding only one firewall rule for the WAN-out subnet, and it still didn't work. Lastly, I tried setting up the WAN-out rule for a single static IP and was still unable to get out of the LAN.

          I've got to be missing something completely obvious with this.

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            You'll have to post your rules.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.