Cant setup WAN connection through OVPN to LAN port

Started by buga, December 11, 2024, 05:59:30 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 11, 2024, 05:59:30 PM Last Edit: December 12, 2024, 02:21:11 PM by buga
There is:
-LAN 192.168.100.39      opened port 25
-OPNsense 192.168.100.1 client opvn 10.8.0.2, Port forwarding 10.8.0.2:25 to 192.168.100.39:25
-VPS 91.91.91.91,      server opvn 10.8.0.1, iptables -t nat -A PREROUTING -p tcp --dport 25 -j DNAT --to-destination 10.8.0.2:25
-WAN Client diferent IP

Clients from the Internet with any IP who should be able to connect to 192.168.100.39:25
through:
Internet clietnt WAN->    VPS 91.91.91.91:25->    10.8.0.1:25->    10.8.0.2:25->    192.168.100.39:25
But at the moment it does not work, it seems like you need to configure outbound. But I can't.


According to TCPDUMP 192.168.100.39, he sends a directly response to the to the client to the client, which I think not correctly.
The answer does not go further than the Router Opnsense
December 11, 2024, 06:23:25 PM #1
Is OPNsense the default gateway?

If it isn't you need to masquerade the traffic on its LAN.
December 11, 2024, 06:43:17 PM #2
default

how mask?
December 11, 2024, 07:01:48 PM #3
Best way would be to masquerade it on the VPS VPN interface to the VPN server IP.

If you want to do it on OPNsense, however, go to Firewall > NAT > Outbound.
If Automatic outbound NAT rule generation is enabled, switch to hybrid mode.
Then add a rule:
interface: LAN
protocol: TCP
source: (maybe you can limit it. if not use any)
destination: 192.168.100.39/32
dest. port: 25
Translation: interface address

Note, that this is also applied to traffic from other source interfaces, e.g. WAN, if there is also port 25 forwarded to this destination IP.
But I assume, this is not the case. If so, you could add a tag to the VPN traffic and configure the outbound NAT rule to be applied to tagged traffic only.
December 12, 2024, 09:32:26 AM #4 Last Edit: December 12, 2024, 02:20:33 PM by buga
is not work i try it
December 12, 2024, 12:14:49 PM #5
So 192.168.100.39 is the LAN address of OPNsense??
Then I'm wondering, what you want to achieve with the forwarding of port 25. Do you run an SMTP server on OPNsense??
December 12, 2024, 12:29:27 PM #6 Last Edit: December 12, 2024, 02:19:39 PM by buga
lost message
December 12, 2024, 02:40:18 PM #7
...and the screenshots.  :-(


So it was the response packet, which we were seeing in the last capture on the destination machine. So there might also have been a request packet as well.

Anyway, I'm afraid, it will not work this way. I was wrong in this. Since OPNsense is the default gateway anyway, the NAT rule is not needed here.

So on OPNsense you can only solve this by making the reply-to tagging work properly for this traffic.

This requires, that the connection has a gateway stated. Is this the case? Check Interfaces: Overview
Do you see the VPN server as gateway in the VPN?
This, of course, presumes, that you assigned an interface to the VPN client instance, which is essential for this to get it work.
Print
Go Up Pages1
User actions