pfSense Support Subscription

Author Topic: quick NAT question  (Read 155 times)

0 Members and 1 Guest are viewing this topic.

Offline Spectrum48k

  • Jr. Member
  • **
  • Posts: 28
  • Karma: +0/-0
    • View Profile
quick NAT question
« on: November 08, 2017, 06:55:13 am »
Can someone explain please, in laymans' terms, if and why I need to make an additional entry to my firewall > NAT > outbound rules, if I plan on adding an OpenVPN client?

At present the pfsense box is a simple set up at home - just lets pc's onto the internet by giving each an IP address from the box's DHCP server, no OpenVPN at all at this point.

I want to add an OpenVPN client so *some* PC's are directed straight to the openVPN provider instead of my normal internet provider

At present my NAT rules are totally standard, nothing added yet to support OpenVPN client, but I'm confused as to WHY I need an additional NAT rule for OpenVPN?

Is it because an additional NAT forwarding table is required?

Thanks in advance



pfSense 2.4.1
Intel Atom E3845 Quad Core 1.9GHz AES-NI
Intel WG82583 Gigabit Ethernet x4
pico-ITX form factor
16GB mSATA
2GB DDR3L

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14292
  • Karma: +1330/-193
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: quick NAT question
« Reply #1 on: November 08, 2017, 07:08:21 am »
not sure where you got the idea that you would need an extra outbound nat if your just going to run an openvpn client on some pc behind pfsense.  There is not need for this.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x 2.4.2-RELEASE on VM esxi 6.5 (home)

Offline Spectrum48k

  • Jr. Member
  • **
  • Posts: 28
  • Karma: +0/-0
    • View Profile
Re: quick NAT question
« Reply #2 on: November 08, 2017, 07:36:58 am »
not sure where you got the idea that you would need an extra outbound nat if your just going to run an openvpn client on some pc behind pfsense.  There is not need for this.

Thank you, that's what I thought.

So assuming my laptop needed to go out to my OpenVPN provider, and the rest just needed to use my internet provider, then this is set up in...

Firewall > Rules > LAN

Correct?

pfSense 2.4.1
Intel Atom E3845 Quad Core 1.9GHz AES-NI
Intel WG82583 Gigabit Ethernet x4
pico-ITX form factor
16GB mSATA
2GB DDR3L

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14292
  • Karma: +1330/-193
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: quick NAT question
« Reply #3 on: November 08, 2017, 08:47:28 am »
Your client talking to some vpn provider is out on the internet.. There is nothing special you have to do anywhere in pfsense for that to happen... The vpn server your client is talking to is on the internet - like the rest of the internet.

Unless you have changed the default any any rule pfsense out of the box has on your lan - there is nothing you would have to do to allow your PC behind pfsense to talk to some vpn provider out on the internet.

Think maybe your confusing stuff that has to be done if you want pfsense to be the vpn client and route specific clients on your network to use the vpn connection, while others just use your isp connection.  If the client making the connect to the vpn service is a PC on your network there is nothing to do on pfsense for that to happen
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x 2.4.2-RELEASE on VM esxi 6.5 (home)

Offline Spectrum48k

  • Jr. Member
  • **
  • Posts: 28
  • Karma: +0/-0
    • View Profile
Re: quick NAT question
« Reply #4 on: November 08, 2017, 09:15:03 am »
Your client talking to some vpn provider is out on the internet.. There is nothing special you have to do anywhere in pfsense for that to happen... The vpn server your client is talking to is on the internet - like the rest of the internet.

Unless you have changed the default any any rule pfsense out of the box has on your lan - there is nothing you would have to do to allow your PC behind pfsense to talk to some vpn provider out on the internet.

Think maybe your confusing stuff that has to be done if you want pfsense to be the vpn client and route specific clients on your network to use the vpn connection, while others just use your isp connection.  If the client making the connect to the vpn service is a PC on your network there is nothing to do on pfsense for that to happen

apologies, let me clarify,the pfsense IS acting as the openVPN client in this scenario

I want the laptop to have its static IP recognised by the pfsense box, which in turn sends it to the openVPN provider's server
I want all other PC's to simply go to my regular internet provider
I know it seems silly, to have the pfsense box act as the openVPN client for one device, but my intention is to add several more devices in future that need openVPN

« Last Edit: November 08, 2017, 09:18:23 am by Spectrum48k »
pfSense 2.4.1
Intel Atom E3845 Quad Core 1.9GHz AES-NI
Intel WG82583 Gigabit Ethernet x4
pico-ITX form factor
16GB mSATA
2GB DDR3L

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14292
  • Karma: +1330/-193
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: quick NAT question
« Reply #5 on: November 08, 2017, 09:45:58 am »
Oh my bad... Sorry I read that as you where going to run the openvpn client on the PC... I miss read your post - sorry about that.

If you want to setup pfsense as the client, then yes you would need to modify your outbound rules to be able to nat your network to the openvpn interface you create when you create the client connection.

This is as simple as switching to hybrid mode and then adding an outbound rule to allow nat of your internal network(s) you want to be able to use the vpn interface.

Since you don't want all your clients to use the vpn, then make sure you set your vpn client in pfsense NOT TO GRAB routes..  Then on the interface pfsense the client you want to use the vpn client, just create a rule sending that client based on its IP, or via destination address or port out the vpn gateway you created.

Make sure on these rules that you remember that rules are evaluated top down, first rule to trigger wins no other rules are evaluated.  So if you want clients to be able to talk to other local networks, and such on your local side you need to make sure rules are above this rule to allow that access before you shove the client down the vpn gateway.

Hope that helps.. And again sorry I misread your post it seems.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x 2.4.2-RELEASE on VM esxi 6.5 (home)

Offline Spectrum48k

  • Jr. Member
  • **
  • Posts: 28
  • Karma: +0/-0
    • View Profile
Re: quick NAT question
« Reply #6 on: November 09, 2017, 11:22:50 am »
ok, so to re-ask the original question, why do we need to add the additional NAT rule for the openVPN client we'll be adding to pfSense?
« Last Edit: November 09, 2017, 05:08:45 pm by Spectrum48k »
pfSense 2.4.1
Intel Atom E3845 Quad Core 1.9GHz AES-NI
Intel WG82583 Gigabit Ethernet x4
pico-ITX form factor
16GB mSATA
2GB DDR3L

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14292
  • Karma: +1330/-193
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: quick NAT question
« Reply #7 on: Today at 04:22:22 am »
Why - so pfsense knows to nat the clients to the vpn IP it got.. Unless your vpn server knows all about downstream networks... Ie how to get to say 192.168.1.0/24 (your clients) via its vpn tunnel (172.16.0/30 as example)..  Yes you have to nat it.. 
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x 2.4.2-RELEASE on VM esxi 6.5 (home)