PFsense OpenVPN NAT

Hello all, I finally took the dive on PFSense hardware (to then later see an announcement that my processor will be outdated soon as it does not have AES-NI- fail) and spun up an OpenVPN server. I used my phone as a hotspot to test the server out and it does the job at giving me a tunnel to use my home internet service, but it doesn't allow my laptop access to other machines on my NAT.

Googling around there are threads that seem to pertain to older versions that simply had a "NAT" box to check (and my Asus router had this), but in this version (PFsense 2.3.3) I cannot find that box. I changed the VPN from tun to tap but still no avail. I'd really like to use vSphere client and plex over the VPN.

Oh, and time to turn on the pfSense 'bat signal'-- @Dexter_Kane

In your firewall rule under OpenVPN do you have it set to allow to lan

1 Like

Do you mean lan, not nat? You want to keep it set to tun and make sure you're using a different subnet for the VPN network than what you're using for the lan. If should just work as long as you have firewall rules to allow the VPN network to any or atleast to the lan networks.

It might be helpful if you post screenshots of the VPN configuration and the firewall rules for lan and the VPN networks.

I suck at teh posting picks, what do you suggest is the easiest route? Been wanting to post in the "post what new thing you acquired" thread but always been too lazy on how to upload pics.

I don't know what I did but it works now- I played with some firewall rules, removed bridge = LAN in the openvpn menu and some other stabs as I went back and forth from hotspot/VPN connection and LAN connection to make changes. I'd still like to post pics to see if I opened some things up that I shouldn't have.

That's the option you need to click to upload images directly to the forum.
Although I usually use imgur and just put a embedded link in.

I used to use photobucket back in the day but as I got less and less involved with forums and technology changes, I haven't logged in for a looong time haha and am usually posting from my phone.

There's a file size limit (not sure what it is) but you can upload them directly to the forum.

Luckily that wasn't an issue, pics posted.

Next I want to give my LAN access to DMZ, block DMZ to LAN and give the DMZ access to WAN/internet.

Set your source and destination dependent on what you are wanting to do and set to either pass or block. Just remember pfsense follows from top rule down.

Your LAN already has access to the DMZ because of the allow any rule. By the way, there's no point setting the source address as lan net on the lan interface, just use any or use something specific if you want to limit it. The source has to be on the lan network so lan net and any do the same thing.

On your DMZ you want to make a rule that rejects (reject is better than block for internal network traffic) from any to lan net and then under that make an allow any to any rule.

What I would suggest doing is creating an alias of your local networks (lan, dmz, vpn, etc.) and call it local_net or something then you can just make a rule on your dmz that allows from any to not local_net (there's a check box for not which inverts the rule). That way you are allowing traffic to the internet but not your lan and local networks which will be blocked by the default rule.


I have source set to Any as it did not have an OpenVPN option, is OpenVPN a PPPoE or L2TP client?

OpenVPN has its own rules tab.

PPPoE is Point to Point Protocol over Ethernet and is used for dialing ADSL modems from the router.
L2TP is Layer 2 Tunnelling Protocol, although technically relevant, its not here.

OpenVPN gets its routes for what local networks it can connect to via the server as upon connecting a user the server will push the routes to them. (see the openvpn server config -> IPv4 Local Networks) Although once you are connected you could push your own routes (but that's for another day)

The rules you are most likely looking for is something similar to mine for everyone else on the network

This would be setup in the Firewall Rules under the DMZ tab.
Except in your case "HOUSE_LAN net" would be the DMZ network.

EDIT: Your current rule in the LAN tab for IPv4 will allow you to already connect into the DMZ network.


You guys are awesome, now I can remote in and keep at it while I'm on the road this weekend.

Onto the next problem, my email server is not sending or receiving mail (worked when port forwarding through Asus router).
Things that have been done (not in order):
- going to a pfSense router my ISP gave me a new public IP, updated my domain info.
- created iRedMail alias, added ports 143, 993, 465, 25, 587- then later 80 and 22. Plugged in iRedMail server IP (
- Gave the DMZ interface the IP, enabled DHCP.
- iRedMail CentOS7 VM connected to NIC that is going strait to DMZ interface on pfSense router.
- made some WAN, LAN and DMZ rules and varified I can ping the iRedMail IP from a LAN machine (iRedMail IP is which seems odd), iRedMail cannot ping LAN machine but can ping
- Created NAT port forward using iRedMail alias

Cannot send or receive email at this time.

  • enabled NAT reflection to Pure NAT, NAT reflection for 1:1 NAT, Enable automatic outbound NAT for reflection.
  • just needed to reboot the box, its running now.

Should I try to do the 'more elegant' solution and go with split DNS? Seems interesting.

So on tap my Android phone could not use the VPN (net30 issue that strangely on tap does not have a drop down to change, but on tun the drop down appears), switching to tun fixes that, but then tun brakes my laptop from being able to access services on my LAN such as FreeNAS or anything else with a webui. Why is it rocket science to get the two things IMO are the top two reasons to VPN- secure web access on an open wifi connection and then access to machines on your home LAN?

Use tun, make sure the VPN subnet is different to your LAN and any other local subnets. Make sure you have firewall rules on the VPN interface to allow traffic to lan using the default gateway

I don't see a gateway section in the firewall rule screen.

It's under advanced, the default action is to use the default gateway. It's only important to set if you have other traffic using other gateways, you have to make sure that any traffic between local subnets uses the default gateway so that rule has to be above a rule which sets a different gateway if both rules would match the traffic.

no joy, I must be jacking up the firewall rule I guess. I have to call it a night- chairs are going to fly haha.