Outbound NAT with WAN and VPN - NAT confusion?



  • Hi.
    Thanks for a great forum. I've had pfsense up and running a year and a half and it works like a charm.
    First of all, I'm really new at this but am trying to learn as a hobby.

    I've had a VPN client set up where the default traffic has gone through the VPN but with a few exceptions setup as firewall rules but I never really figured out how the VPN became the default gateway and that's what I'm trying to figure out now.

    Basically what I did was the following (followed a guide):
    1. Created the CA
    2. Set up the client, confirmed client connects.
    3. Created a new interface with the VPN and enabled that.
    4. edit NAT to manual and mirrored existing WAN rule for the VPN
    Voila, all was working and the traffic was routed through the new VPN by default but how? Under System Information -> Routing it says WAN is default, something I'd expect I guess as otherwise how would the VPN client be able to connect?

    The existing Firewall rule was just allow all to all from all * * * basically..

    So does it come back to the order of the NAT outbound rules?
    But the top NAT rule is the WAN and immediately below is the VPN rule and still the VPN is the default?
    Does it read from bottom up and first hit becomes the rule? Or vice versa, the last becomes default?

    I'm trying to get two or even three VPN connections up and running but with one as default and the other two as per Firewall rules so I'll be extremely grateful if a kind soul could please clarify the NAT outbound traffic behavior.

    Thanks,
    Knut



  • @kncar77:

    Voila, all was working and the traffic was routed through the new VPN by default but how? Under System Information -> Routing it says WAN is default, something I'd expect I guess as otherwise how would the VPN client be able to connect?

    The existing Firewall rule was just allow all to all from all * * * basically..

    I guess you get the default route pushed from the vpn server. This can be checked in Diagnostic > Routes while the vpn client is connected.

    @kncar77:

    So does it come back to the order of the NAT outbound rules?
    But the top NAT rule is the WAN and immediately below is the VPN rule and still the VPN is the default?
    Does it read from bottom up and first hit becomes the rule? Or vice versa, the last becomes default?

    The outbound NAT rules are checked for matching their constraints from the top to bottom likewise the firewall rules. But the WAN rules don't match for vpn traffic, because it's going out the vpn interface, since it's routed to the vpn server by the default route mentioned above.


Log in to reply