RV50 OpenVPN - How to disable SNAT?


#1

Dear Forum,

It appears that the RV50 OpenVPN Client is using SNAT - Source Network Address Translation. I can tell by capturing VPN packets such as the following:

21:02:36.106802 IP 10.0.8.3.2520 > 172.31.162.2.44818: tcp 0
21:02:36.106820 IP 10.0.8.3.2520 > 172.31.162.2.44818: tcp 0
21:02:36.765899 IP 10.0.8.2.4958 > 172.31.163.2.44818: tcp 88
21:02:36.765918 IP 10.0.8.2.4958 > 172.31.163.2.44818: tcp 88

The expected traffic that my PFSense OpenVPN Server firewalls need in order to work should be as such:

IP 172.31.163.2 > 172.31.162.2.44818
IP 172.31.163.2 > 172.31.162.2.44818
IP 172.31.162.2 > 172.31.163.2.44818
IP 172.31.162.2 > 172.31.163.2.44818

The PFSense Server Support forums server say that the RV50 Gateway is causing this SNAT. I have made sure to turn off NAT at the Ethernet port end of the RV50. Yet, I am still getting 10.0.8.x source tunnel traffic in the packets. However, there are some settings in the OpenVPN advanced area that might be of help to me:

Allow Peer Dynamic IP - Options are: Enable or Disable (What IPs do they mean?)
NAT - Options are: Enable or Disable. Note that this is a Mobile Network Operator NAT, not a local NAT (What does this mean???)

The above was from the ALEOS 4.9.0 Manual. What exactly do the above options do? I am going to try setting NAT to disable to see what happens with the SNAT. Any clarifications on the above 2 options would be appreciated. Or any ideas on how to disable the RV50 SNAT is what I am looking for. Thanks.


#2

Okay we figured it out. Here is the response from Sierra Wireless tech support:

Allow Peer Dynamic IP means that the ALEOS gateway will support changes to the PFSense server IP and doesn’t not have to remain statically configured (ie, 172.22.0.1, 172. 25. 0.2, etc).

Disabling the NAT option means that the private network will not get translated to the ALEOS WAN IP. The source packets will remain as the private LAN IPs even if it traverses the tunnel.

So by disabling the NAT option, I fixed my issue. My source IPs are now unchanged, and SNAT is disabled.