OPNsense Forum
Archive => 23.1 Legacy Series => Topic started by: fbeye on July 12, 2023, 08:56:23 pm
-
Hello.
This came from another thread that was titled differently so wanted to create a new new having to do with this, not trying to be pushy.
My setup has a block of ips, 6 usable [x.x.x.177 - x.x.x.182 (x.x.x.182 being WAN default)]
I have WAN x.x.x.180 and a LAN 192.168.5.180.
When VPN off, I can send and receive all day long. When VPN activated, I do not even get an error, it just spins and times out. When I create the OUTBOUND NAT below, I get connection refused.
Interface: WAN
Protocol: TCPIP/v4
Source: 192.168.5.180/32
Source Port: any [I also tried with corresponding outgoing ports for email]
Translation/Target: x.x.x.180
I do have working and validated 1:1 NAT for this IP, I have aliases and I have association between x.x.x.180 to 192.168.5.180. As I said, works flawlessly when NO VPN on. Also, I do not have, when VPN on, outbound NAT as for whatever reason [binat?] it already works inbound and outbound on correct WAN/LAN IP.
I only implemented outbound nat to have outgoing bypass the default VPN upstream. Also, I did disable upstream gateway option to see if that was it, to no avail.
I will say this though.. And from what I have been told is incorrect... It does work if on RULES:LAN I create a rule for 192.168.5.180 to "out" on x.x.x.180. I make a Single Gateway for that IP and use it, and then all of it does work on the / through the VPN . But as I said, from what I have been told this was incorrect, and makes sense that it [Should] be an OUTBOUND NAT rule, not a LAN out. Or is it a to-may-to to-mah-to kind of thing?
[Obvious] but just noticed, when Outbound NAT is applied, I still have VPN IP after whatsmyip.com, so the rule isn't just blocking outgoing, it simply is not associating correctly.
-
So you still have a lot to learn judging by all this questions.
My advise, first learn the basics, especially when you have a rather complicated setup with a range of
public IPv4 addresses.
And you don't route via Outbound NAT rules, you have to use your LAN-type-rules for that with a gateway set if you wish to not use the default route.
-
Well it is a shame I come across as that. Initially everything worked fine and had it all, with ALL my IP’s working correctly with their WAN to LAN translations. This all started when I was curious about adding multiple VPN Clients and then segmenting chunks of LAN IP’s etc… Then I was questioned about the weirdness of HOW I had my LAN Rule four outbound using gateways and then the discussion furthered to I should be using Outbound NAT instead of LAN rules. So, and that actually did make sense, I went and did that then started getting connection refused issues. So it spiraled out and then come to find I am uneducated and told to go back to the way it was!! Which is fine! I get that. I ask a question I get an answer. Just feels shitty to have this idea about me. This ain’t about “I should be humble and take criticism”. I am and I do, just sucks that the final solution was to go back to how I had it originally, and had done so on my own by reading and “googling”. All I wanted initially was to have specific VPN Questions (can I have multiple clients share the same trust authority, can I add a 2nd server to my existing client and separate them via LAN rules) etc.
Anyway, back to where I started with the configuration I had done initially before asking questions , it all works as it should. I guess with the VPN I will mess around with it. I guess that’s the nice thing about backups!
Thank you for giving your assistance I appreciate you and the others who have helped on other threads.
-
The thing with your multiple IP4-addresses is that they all have to use one single gateway. With VPN-clients they all are their own gateways and they are not the default gateway. That is the difference. I know almost nothing about having multiple IPv4-addresses but a little about having VPN-clients. ;)
-
Roger that my friend. Thank you for the help again.
-
Wanted to add one more detail maybe something will click….
So currently the only way my email server [192.168.5.180] sends email without a refused error is if I do an any for for all options or * in the LAN rule 180_Out which bypasses the VPN altogether. So that is good. No rule, 192.168.5.180 has VPN ip, 180_Out rule has x.x.x.180 WAN IP.
What I was messing around trying to do was, keep 192.168.5.180 on VPN for surfing and anonymity but all email out (587 and 25) as ports bypass VPN. When I set 2 rules as such, I get the connection refused, when I default the rule to any and * non specific settings but simply to use 180_Out as a whole, it works. Is creating 2 rules with ports only not good enough to bypass VPN? Or is it more than that like other ports as a whole.