Cannot Connect to PFSense OpenVPN Server from within first NAT

Cirdan · January 17, 2018, 6:41pm

I currently have double NAT setup on my home network. I have a DDWRT router connected to the ISP’s modem and a PFSense router connected to that. The PFSense router has an openVPN server running on it but I am unable to connect to it from within the DDWRT network.

The double NAT, although not optimal, is necessary.

I can access the server, and it works correctly, through the public IP from another network (port forwarded in the DDWRT router). However, I cannot connect from within the DDWRT network.

Other resources online state that it is an issue with DNS resolution or “hairpin networking”. However, I don’t think this is the case since I cannot connect by public IP or the private IP of the PFSense router.

I’m not sure if this is a configuration issue with PFSense or DDWRT but any help would be appreciated!

Levitance · January 17, 2018, 7:26pm

By default pfSense blocks bogons on the WAN port. I believe it’s a check box you can untick in the WAN interface configuration page, towards the bottom.

Cirdan · January 18, 2018, 1:29pm

That does seem to have fixed it; thank you Levitance!

However, I’m curious if this poses any security threat. Would it be possible to specify only specific IP addresses or subsets not to block? I suppose it might not be an issue since PFSense is the second NAT.

Levitance · January 18, 2018, 3:30pm

You could setup firewall rules on the “WAN” side of pfSense to block all private networks except the one you’re actually using. I was trying to think of some interesting way where someone might be able to gain access to that middle-man network between your router and pfSense, but nothing solid is coming to me.