Messages

            Internet (Public)                 [Public IP from ISP]
                       +-------------------+|End User Workstation/PC|
                       |
                       |
                       |
                       |
                       | WAN [public IP x.x.30.132]
            +-------------------------------+
            |       OPNsense Firewall       |
            +-------------------------------+
              | LAN1 (private IP)         | LAN2 (public IP) 
              | [192.168.1.1/24]          | [x.x.31.1/24]
              |                           |
              |                           |
              |                           |
              |                           |
              + [192.168.1.10]            |
          |Server|                        |
                                          |
                                          |
                                          + [x.x.31.17]
                                       |Server|

As shown in the diagram, My OPNSense firewall has got three interfaces and NAT enabled. I want the NAT between WAN (public IP) and LAN1 (private IP) but don't want any NAT between WAN and LAN2 (just like a router) which already has public IP block x.x.31.1/24. ISP is routing all traffic to destination IP block x.x.31.0/24 through my WAN IP Address x.x.30.132.

I can make the NAT thing work flawlessly but cannot make no NAT or without NAT packet flow between WAN and LAN2.

Can anyone please help me to get this solved?

I have captured the tcpdump output on LAN2 port (replated the public ip with x.y.46.17),

01:42:29.073113 IP x.y.46.17.500 > 192.168.2.17.500: isakmp: phase 1 I ident
01:42:29.076870 IP 192.168.2.17.500 > x.y.46.17.500: isakmp: phase 1 R ident
01:42:29.090806 IP x.y.46.17.500 > 192.168.2.17.500: isakmp: phase 1 I ident
01:42:29.125374 IP 192.168.2.17.500 > x.y.46.17.500: isakmp: phase 1 R ident
01:42:29.142174 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 1 I ident[E]
01:42:29.142863 IP 192.168.2.17.4500 > x.y.46.17.4500: NONESP-encap: isakmp: phase 1 R ident[E]
01:42:29.161651 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:29.162858 IP 192.168.2.17.4500 > x.y.46.17.4500: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
01:42:29.188481 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:29.225337 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:29.226479 IP 192.168.2.17.4500 > x.y.46.17.4500: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
01:42:29.242498 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:29.242837 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
01:42:32.219170 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:32.220473 IP 192.168.2.17.4500 > x.y.46.17.4500: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
01:42:32.240170 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:32.240290 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
01:42:36.231026 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:36.234869 IP 192.168.2.17.4500 > x.y.46.17.4500: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
01:42:36.250860 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:36.251280 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
01:42:44.232301 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:44.236607 IP 192.168.2.17.4500 > x.y.46.17.4500: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
01:42:44.262613 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:44.262627 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
01:42:48.180123 IP x.y.46.17.4500 > 192.168.2.17.4500: isakmp-nat-keep-alive
01:42:54.241907 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:54.251962 IP 192.168.2.17.4500 > x.y.46.17.4500: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
01:42:54.283246 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:43:04.306005 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
01:43:04.371417 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I inf[E]

The udp packets captured at OPNSense firewall's LAN port are as follows (replaced public IP of the VPN client with x.y.46.17),

01:42:29.073113 IP x.y.46.17.500 > 192.168.2.17.500: isakmp: phase 1 I ident
01:42:29.076870 IP 192.168.2.17.500 > x.y.46.17.500: isakmp: phase 1 R ident
01:42:29.090806 IP x.y.46.17.500 > 192.168.2.17.500: isakmp: phase 1 I ident
01:42:29.125374 IP 192.168.2.17.500 > x.y.46.17.500: isakmp: phase 1 R ident
01:42:29.142174 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 1 I ident[E]
01:42:29.142863 IP 192.168.2.17.4500 > x.y.46.17.4500: NONESP-encap: isakmp: phase 1 R ident[E]
01:42:29.161651 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:29.162858 IP 192.168.2.17.4500 > x.y.46.17.4500: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
01:42:29.188481 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:29.225337 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:29.226479 IP 192.168.2.17.4500 > x.y.46.17.4500: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
01:42:29.242498 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:29.242837 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
01:42:32.219170 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:32.220473 IP 192.168.2.17.4500 > x.y.46.17.4500: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
01:42:32.240170 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:32.240290 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
01:42:36.231026 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:36.234869 IP 192.168.2.17.4500 > x.y.46.17.4500: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
01:42:36.250860 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:36.251280 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
01:42:44.232301 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:44.236607 IP 192.168.2.17.4500 > x.y.46.17.4500: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
01:42:44.262613 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:44.262627 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
01:42:48.180123 IP x.y.46.17.4500 > 192.168.2.17.4500: isakmp-nat-keep-alive
01:42:54.241907 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:42:54.251962 IP 192.168.2.17.4500 > x.y.46.17.4500: NONESP-encap: isakmp: phase 2/others R oakley-quick[E]
01:42:54.283246 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]
01:43:04.306005 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I inf[E]
01:43:04.371417 IP x.y.46.17.4500 > 192.168.2.17.4500: NONESP-encap: isakmp: phase 2/others I inf[E]

                    Internet                     [Public IP from ISP]
                       +-------------------+|Windows VPN Client|
                       |
                       |
                       |
                       |
                       | WAN [x.x.30.132]
            +-----------------------+
            |   OPNsense Firewall  | (1:1 NAT x.x.31.0/24 to 192.168.2.0/24)
            +-----------------------+
                       | LAN [192.168.2.1/24]
                       |
                       |
                       |
                       |
                       + [192.168.2.17]
               |VPN Server|


I am running a VPN Server inside an OPNSense Firewall. The WAN public IP block and the LAN private IP block are mapped through 1:1 NAT in OPNSense Firewall. Apparantly, there is no problem with one-to-one NAT. But when I try to connect the VPN server (x.x.31.17->192.168.2.17) from the windows Host VPN client over Internet it fails. For testing purpose I put a Windows Host VPN Client in LAN and tried to connect the VPN Server (192.168.2.17). It connects flawlessly.

VPN Type is L2TP/IPSec with pre-shared key

Can you please help me to resolve this issue?

I am running a VPN Server inside an OPNSense Firewall. Firewall has two LAN interfaces, LAN1 and LAN2 (shown in the figure below). Another interface is WAN which is connected to public internet through ISP. The WAN public IP block and the LAN2 public IP block are mapped through 1:1 NAT in OPNSense Firewall. I can ping and access the VPN server (e.g. SSH, HTTPS etc.) from Internet. Apparently, there is no problem with one-to-one NAT but when I try to connect the VPN server from the windows Host VPN client over Internet it fails. For testing purpose, I put another Windows Host VPN Client in LAN1 (192.168.1.10) and tried to connect the VPN Server in LAN2 (192.168.2.17). It connects flawlessly. But when I try to connect the destination IP x.x.31.17 rather than private IP 192.168.2.117 from the same Windows Host VPN client in LAN1, it fails like the Internet Windows VPN Host/Client.

It appears that the problem lies in the OPNSense configuration. Can you please help me to resolve this problem?


                    Internet (Public)       [Public IP from ISP]
                       +-------------------+|Windows VPN Client|
                       |
                       |
                       |
                       |
                       | WAN [x.x.30.132]
            +-----------------------+
            |   OPNsense Firewall   | (1:1 NAT x.x.31.0/24 to 192.168.2.0/24)
            +-----------------------+
              | LAN1              | LAN2
              | [192.168.1.1/24]  | [192.168.2.1/24]
              |                   |
              |                   |
              |                   |
              |                   |
              + [192.168.1.10]    |
     |Windows VPN Client|         |
                                  |
                                  |
                                  + [192.168.2.17]
                            |VPN Server|

VPN Server Config
-----------------

VPN Server is assigend with LAN2 IP address 192.168.2.17/24
VPN Type is L2TP/IPSec with pre-shared key
It listens to three UDP Ports 500, 1701, 4500

OPNSense Firewall Config
------------------------

Configured with both Source NAT for LAN1 and NAT 1:1 for WAN<->LAN2
NAT 1:1 is mapping the entire public ip address block x.x.31.0/24 to LAN2 192.168.2.0/24
I have configured Virtual IP address x.x.31.0/24 for WAN
Added All pass rule to Firewall->Rules->Floating, LAN2 for IPv4
Added Firewall->NAT->One-to-One WAN ExternalIP InternalIP mapping entry