SOLVED: LAN NAT of remote over OpenVPN
-
Hi folks,
I have a problem getting LAN traffic to NAT/route over OpenVPN. Here's my setup:
Site A
-
has current version of pfSense running OK
-
Is configured with OpenVPN server
Site B
-
is my laptop
-
has pfSense running in a VM to route all traffic from the laptop and VMs
-
Is configured with OpenVPN client and seems be working per diagnostics
When the OpenVPN client in the site B's pfSense is stopped/disabled, site B's pfSense works as expected. When the OpenVPN client is running:
-
I can see the IP (vpn.network.ip.2) and DHCP server IP (vpn.network.ip.1)
-
Diagnostics' traceroute on site B's pfSense shows proper routing when source is from OpenVPN NIC or OpenVPN client
-
Any traffic to the internet on site's B LAN network is not working. Including diagnostics' traceroute.
Do I need to add route mapping to site's B pfSense? To rule out any firewall issue, I've provided 1 rule of allow any source to any destination on both the server's and the client's OpenVPN NICs.
Here's my site B's (obfuscated) routes:
Destination Gateway Flags Use Mtu Netif Expire
0.0.0.0/1 open.vpn.network.1 UGS 3 1500 ovpnc1
default site.b.wan.1 UGS 20950 1500 vtnet0
8.8.4.4 open.vpn.network.1 UGHS 2 1500 ovpnc1
8.8.8.8 open.vpn.network.1 UGHS 2 1500 ovpnc1
site.b.lan2.0/24 link#3 U 58263 1500 vtnet2
site.b.lan2.1 link#3 UHS 0 16384 lo0
127.0.0.1 link#6 UH 1030 16384 lo0
128.0.0.0/1 open.vpn.network.1 UGS 16 1500 ovpnc1
site.a.public.ip/32 site.b.wan.1 UGS 88 1500 vtnet0
site.b.wan.0/24 link#1 U 0 1500 vtnet0
site.b.wan.1 52:54:00:xx:xx:xx UHS 10512 1500 vtnet0
site.b.wan.230 link#1 UHS 0 16384 lo0
site.b.lan1.0/24 link#2 U 20494 1500 vtnet1
site.b.lan1.1 link#2 UHS 0 16384 lo0
open.vpn.network.0/24 open.vpn.network.2 UGS 0 1500 ovpnc1
open.vpn.network.1 link#8 UH 8 1500 ovpnc1
open.vpn.network.2 link#8 UHS 0 16384 lo0open.vpn.network.1 = Site A's & DHCP IP on the OpenVPN server NIC
open.vpn.network.2 = Site B's OpenVPN client IP
site.b.wan.1 = Site B's WAN gateway
site.b.wan.230 = Site B's WAN IP
site.b.lan1 = Site B's LAN 1 network
site.b.lan2 = Site B's LAN 2 networkThanks in advance,
Tommy -
-
Figured out the root cause. Changed NAT outbound to hybrid and added the rules for the LAN within site B's pfSense. :D