Pfsense config for openvpn access to local network behind CGNAT

New internet provider uses CGNAT. To access several things on the home network while away I am trying to setup pfsense as an openvpn client with an Oracle VPS as the server. Have gotten access working. Main issue is that pfsense is not passing local traffic from lan to wan. Rules look like the should work but I haven’t used pfsense before so I could be and since it doesn’t work probably wrong.

For testing I have put the pfsense box on a lan port of my router. This allows some internet access for the rest of the network while getting this working. Just tried to ping from the PC on the pfsense lan and can ping the upstream router but not the starlink hub. From a PC on the router I can ping both the router and the starlink hub. Makes no sense to me as I have no rules on the router to limit either connection. For pinging I was using IP addresses (192.168…) rather than names so lookup of the names isn’t the issue.

When using PFSense behind anything that gives PFSense itself an RFC1918 IP address (,,, on the WAN interface, you have to disable “Block private networks”. This is within “Interfaces >WAN” near the bottom.

Block private networks is unchecked.

Firewall log shows: LAN interface Default deny rule IPV4 source: My pc, destination: IP of PFsense lan port.

Since your WAN on pfSense is receiving a Private IP address, in addition to blocked private IP addresses being disabled. You also need to have Block Bogon Networks disabled. See the warning message under the Block Bogon Networks documentation.

Tried unchecking block bogon networks too so both were unchecked. Didn’t help.

Okay, so I just re-read your post and saw your main issue.

So you can receive traffic in but nothing is going out correct? It sounds like whatever your rules on your LAN are, is blocking WAN out. Make sure your destination is ANY and not WAN. It would be easier to see a diagram of the LAN rules. But, check your Firewall Logs Viewing the Firewall Log, just keep in mind the firewall logs only show what is being blocked not what is being passed through. But you can change that if you need to for testing/troubleshooting. And check pfTop when you’re pinging out. This is a really great tool to use to help debug with. Check out Tom’s video Getting Started With pfsense Firewall Rules and Troubleshooting States With pfTop. - YouTube for learning about pfTop.

Ok. Changing it to any and it works. How does the traffic get directed to wan and not the openvpn connection with it set to any?

Since you haven’t used pfSense before. I suggest these two pieces of documentation to help you understand it a bit more. The first is Rule Methodology it discusses how rules are processed, which is a top down method. And Configuring firewall rules that gives information on options for setting rules and what they do.

I assume that you haven’t set up any VLANs on pfSense yet. And are just working with the WAN and LAN rules is that correct? Traffic is filtered on a per interface basis where it started or initiated from. A firewall rule that has Source set to LAN Net and a destination set to ANY which will have an * in that field when viewing the rules. That means anything on LAN can go to any interface including WAN. But if you had more than just a LAN/WAN setup. And you had additional interfaces say a LAN2 and LAN3. With the same rule, traffic that comes from LAN can go to LAN2, LAN3, and WAN. That’s why it’s important that you add rules on your interfaces if you didn’t want to have traffic get to LAN2/LAN3. Also, there’s an outbound NAT rule if you want to see it for your WAN. Go to Firewall → NAT and click the Outbound tab. You’ll see automatic rules for WAN here. Which basically says, from “these” networks route to WAN address.

Now since, I don’t know how you’ve set up your OpenVPN. But if setup correctly, you should have rules and configurations that will define how traffic is routed out. This includes Outbound NAT rules for VPN/WAN.

Thanks! I have read some but still figuring things out so will read your suggested links. My setup just has LAN, WAN and VPN (through WAN). I plan to use VPN (for now at least) for remote access to the LAN nodes only and not for outbound. All outbound traffic will go to WAN. This is to get around CGNAT. For wifi I have an existing router that I plan to bridge and put behind the pfsense box. So that will be:
LAN - router - pfsense - starlink

You MUST have an outside server to act as a reflector or as the server when using CGNAT, you have no externally identifiable IP on your CG-NAT and no way to forward a port to your CG-NAT connection.

I keep hoping they will embrace IPv6 which could then give us a direct internet IP like most other ISP provide. I’m on TMobile now and subject to the same CG-NAT issues.

The only good thing is my internet isn’t dropping out every day like it was on Spectrum!