NAT Outbound And VPN

[framura]

Hi,

I have a problem with NAT Outbound and my VPN configuration.

I setup months ago OpenVPN (client) with my VPN provider and I setup (Firewall-NAT-Outbound) some manual rules like

192.168.2.0/24 on VPN interface (to force VPN on every device on my LAN).

All works very good.

Now I would like to setup an exception: for a specific device, 192.168.2.12 I want to use wan interface and not VPN.

So I added another rule for 192.168.2.12/32, as first rule, but this device uses always VPN interface.

So, where is my mistake?

Thanks for your help.

[framura]

I tried also to add a specific  rule on Firewall->Rules for above device but doesn't works.

Just a little help?

Thanks in advance

[franco]

Hi framura,

I just read the pf.conf manual and it states the order you tried should be the correct one, so:

(1) Are you using hybrid mode or manual mode?

(2) When the rules are in place, can you check /tmp/rules.debug if the single host NAT rule is there and that it really is the first rule?


Cheers,
Franco

[framura]

Thanks franco.

I use hybrid mode.

Now I removed all new rules but I don't know if I need to add rules on outbound (Firewall->NAT->Outbound) and/or rules on Firewall->Rules.

Now I will try to add a new rule on NAT Outbound for my specific device and I will check /tmp/rules.debug.

Thanks

[framura]

Just tried: before new rule I get from /tmp/rules.debug

(192.168.2.1 is my opnsense router (LAN), 192.168.1.1 is my Internet router)


nat on $PROVIDERVPN  from 192.168.2.0/24 to any -> ip_gateway_VPN/32 port 1024:65535 
nat on $PROVIDERVPN  from 192.168.2.0/24 to any port 500 -> ip_gateway_VPN/32  static-port
nat on $PROVIDERVPN  from 127.0.0.0/8 to any -> ip_gateway_VPN/32 port 1024:65535 
nat on $PROVIDERVPN  from 127.0.0.0/8 to any port 500 -> ip_gateway_VPN/32  static-port

and then

tonatsubnets  = "{ 127.0.0.0/8 192.168.2.0/24 }"
nat on $WAN  from $tonatsubnets to any port 500 -> 192.168.1.7/32  static-port
nat on $WAN  from $tonatsubnets to any -> 192.168.1.7/32 port 1024:65535

So, I add a new rule for 192.168.2.12 and I get

nat on $WAN  from 192.168.2.12/32 to any -> 192.168.1.7/32 port 1024:65535

before above rules.

I tried again from 192.168.2.12 device (it's a blu-ray player) but I get VPN address (I checked with ipleak.net in a browser).

Have you any idea?

Thanks

[jhh]

Hi framura,

routing table decides, which interface will be used outbound.
Afterwards, NAT rules for that single interface are used.

So it is dependent on the destination and the routingtable.

If you try to access 1.1.1.1 and you have a route, which sends that traffic through openvpn, then NAT rules on openvpn interface are followed.
If you try to acces 99.99.99.99 and you have a route, which sends that through your WAN interface, then that NAT rules are used.

To influence, which interface is used outbound, you can use policy based routing.
This is done on OPNsense, by changing the gateway inside a firewall rule.
So lets assume, you use the default LAN out rule and nothing else, then you could:

• add a rule above that LAN rule, which allows traffic from 192.168.2.12 to destinations of your choice (maybe any?)
• in "Advanced features" section of that rule change gateway from "default" the the gateway representing your internet router.

Afterwards traffic coming from 192.168.2.12 to specified destinations will go out through WAN interface and not openvpn.
You do not need to add additional outbound NAT rules, cause what you defined is already included in
nat on $WAN  from $tonatsubnets to any -> 192.168.1.7/32 port 1024:65535
(192.168.2.12/32 is part of 192.168.2.0/24)
So you can remove your additional outbound NAT rule.


Regards,

Joerg

[framura]

Thanks Joerg,

I tried as you stated but now I haven't Internet access from 192.168.2.12.

I have:

6 rules on NAT Outbound (4 Manual for VPNINTERFACE and 2 automatic for Wan interface)

Under Firewall->Rules I have

Floating: 1 block rule for IPV6
WAN: 0 rule
LAN: 3 rules (1st is the one just added, others two enable IPV4 and IPV6 on Lan net)
PROVIDERVPN Interace: 0 rule
OpenVPN: 0 rule

I added on LAN tab following rule (as first rule):

Action: pass, Interface: lan, Source: 192.168.2.12, destination: any, gateway (isn't under advanced options): WAN_DHCP 192.168.1.1

Thanks for your help

[framura]

I made a little modification to above rule: as destination I inserted wan_net and I my device is able to connect to Internet but always through VPN address.

I really don't understand.

[franco]

How are your gateways set up... VPN is the default gateway, right?

[framura]

No franco,

default gateway is WAN_DHCP on WAN interface.

[framura]

Hi,

to test my opnsense configuration, I made some tests with pfsense.

With same configuration on pfsense, I get correct result: my 192.168.2.12 device doesn't uses VPN but WAN.

Can you help me?

Thanks in advance

[franco]

Which pfSense version? If 2.3, there's a 10.3 kernel to try and see if this was a pf-related issue. If not we know that it's definitely a config issue on our side.

[framura]

I used last pfsense version, 2.3.1.

Do you suggest to try with opnsense 16.7 beta version?

If yes, can I install directly 16.7 beta version without upgrading my 16.1.7 installation?

[franco]

Hi framura,

In this case you can change your FreeBSD version underneath using this and an immediate boot afterwards:

# opnsense-update -hbkr 16.1.16-devel && /usr/local/etc/rc.reboot

Please note: this is the latest test version. It works on all machines and is equal in patching to the current 10.2 version. It is, however, not the version that is going to be on the 16.7 RC images and the next firmware update may move you back to FreeBSD 10.2. Use with care.


Cheers,
Franco