目录

目录

目录 1
Block-client-Internet-access 3
Configure-Wifi 5
An Access Point on RPI 5
Create-image-for-unsupported-platform 9
Custom-DNS 10
Disable-IPv6-on-Freebox-OS 11
FAQ 12
Home 13
Install-or-update-the-VPS 14
Install/Update on Debian 10 Buster x86_64 14
Install/Update on Ubuntu Server 20.04 x86_64 15
Install on Debian 9 Stretch x86_64 15
Update 16
Files used by script 16
Install 17
OpenMPTCProuter-configuration 18
Boxes 18
OpenMPTCProuter 18
Wizard 18
Manual configuration 18
Set OpenMPTCProuter IP via SSH/Console 21
Pi-hole 22
Install Pi-hole on VPS 22
Port-forwarding-using-v2ray 23
Port-forwarding 25
Redirect all ports from VPS to OpenMPTCProuter 25
Redirect port via V2Ray reverse proxy on OpenMPTCProuter 25
Redirect port via VPN on OpenMPTCProuter 25
Debug 27
Router-install 28
Install from precompiled images 28
For Raspberry PI 2/3/4 28
For Linksys WRT3200ACM/WRT32X 28
For Banana PI BPI-R2 28
For NanoPI RS2 28
For Espressobin v7 29
For Virtualbox 29
For ESXI 29
For x86 and x86_64 29
Update 29
Snapshots 30
Technologies 31
Tutorials 32
French 32
Update-RPI4-firmware 33
V2Ray-Shadowsocks-plugin 34
VPN-over-OpenMPTCProuter 35
PPTP 35

1 / 47
目录

VPS-Multi-IPs 36
_Sidebar 39
pfSense 46
Dual NAT solution 46
No NAT solution 46

2 / 47
Block-client-Internet-access

Block-client-Internet-access
Example, if you want to block LAN IP 192.168.100.159 to access internet.

You need 2 firewalls rules, one to block proxy access (used for TCP) and one to block VPN/direct access (for UDP and when proxy is down):

The rule to block access to Proxy:

The rule to block access to VPN/Direct:

3 / 47
Block-client-Internet-access

4 / 47
Configure-Wifi

Configure-Wifi
An Access Point on RPI
This documentation work with any architecture that have only one ethernet port and MacVLAN is used.

In Network->Wifi menu:

As network create a new interface wifi:

5 / 47
Configure-Wifi

6 / 47
Configure-Wifi

Set encryption key:

In Network->Interfaces menu, configure wifi interface:

7 / 47
Configure-Wifi

Add the interface to firewall lan section:

8 / 47
Create-image-for-unsupported-platform

Create-image-for-unsupported-platform
Any platform where images are not generated are unsupported platform. No support for any of them. This may or may not work

You need to be under Linux with all tools needed to compile OpenWrt. This should be enough for Debian:

apt-get install busybox curl rsync build-essential asciidoc binutils bzip2 gawk gettext git libncurses5-dev libz-dev patch unzip zlib1g-dev lib32gcc1
libc6-dev-i386 subversion flex uglifyjs git-core gcc-multilib p7zip p7zip-full msmtp libssl-dev texinfo libglib2.0-dev xmlto qemu-utils upx libelf-dev
autoconf automake libtool autopoint device-tree-compiler

To test on any other platform (supported by OpenWrt with kernel 5.4):

git clone https://github.com/Ysurac/openmptcprouter.git

cd openmptcprouter
git checkout master
OMR_TARGET="myplatform" OMR_FEED_SRC="master" ./build.sh

If the platform already exist, replace myplatform by the platform name like x86_64. Check config-xxx files to find platforms where xxx is the
supported platform name.

The script build.sh accepts all make arguments (like -j ).

If it's a not yet supported platform, select your arch in the menu and build it like this:

cd myplatform/source
make menuconfig
make -j6

When finished, files are located in the directory source/bin .

9 / 47
Custom-DNS

Custom-DNS
By default OpenMPTCProuter use root DNS servers.

If you want to use some alternate DNS, in Network->DHCP and DNS menu:

In DNS forwardings remove the 127.0.0.1#5353 default entry and add the server you want:

10 / 47
Disable-IPv6-on-Freebox-OS

Disable-IPv6-on-Freebox-OS
To disable IPv6 RA, you need to set fe80::2 as Next Hop in IPv6 configuration:

11 / 47
FAQ

FAQ
What speed can I expect with a Raspberry PI 3 B ?

On my own tests, about 85.5Mb/s using modems connected via the ethernet port. The port is limited to 100Mb/s.

On a RPI3B+, with default settings, speed is limited to about 150Mb/s (due to CPU capacity).

How many interfaces can be used for MPTCP ?

The path-manager does not support more than 8 addresses per host.

Inactive TCP session are killed/SSH timeout after 2 minutes

For SSH, you can modify ServerAliveInterval in ssh configuration. You can also increase IPv4 TCP Keepalive time in the menu System-
>OpenMPTCProuter->Advanced Settings.

How to use OpenMPTCProuter on another platform?

Follow Create image for unsupported platform

Status say that Multipath is blocked on the connection, what can I do?

MPTCP is filtered somewhere on the network, so you can't use it. You can disable ShadowSocks and enable Glorytun UDP or MLVPN, they don't use
MPTCP and can aggregate connection.

I can't get IPv6 on my OVH VPS, why ?

Check that IPv6 is configured on the VPS. If not follow this doc: https://docs.ovh.com/fr/public-cloud/configurer-ipv6/

I don't get a good speed, what can I check ?

Check that your VPS have a bandwidth greater than the connections you want to aggregate.
Check that all CPU is not used on OpenMPTCProuter, you can use htop command with SSH
Check that all CPU is not used on the VPS side, you can install htop apt-get install htop and use it
Check each wan speed, using on the router via SSH: omr-test-speed wan1 (where wan1 is the real interface you wan to test), Ctrl+C to
stop after at least 2 minutes.

How to get system log on the router via SSH ?

You can get them with the command: logread

12 / 47
Home

Home
It's in alpha state, documentation is not finished yet.

Official site: https://www.openmptcprouter.com/

OpenMPTCProuter use MultiPath TCP (MPTCP) to aggregate multiple Internet connections (4G,ADSL,VDSL,fiber,...) and OpenWrt.

If MPTCP is not supported, OpenMPTCProuter can also use Multi-link VPN (MLVPN) or Glorytun UDP with multipath support.

The image can be installed on x86, x86_64 with UEFI, Raspberry PI 2B/3B/3B+/4B, Linksys WRT3200ACM/WRT32X and Banana PI BPI-R2.

A VPS with Debian 9/10 or Ubuntu 18.04 LTS is also required.

Internet
PC Modem 1

MPTCP

OpenMPTCProuter VPS
Laptop

Modem 2

Tablet

13 / 47
Install-or-update-the-VPS

Install-or-update-the-VPS
You need to have a MPTCP kernel,shadowsocks-libev, Glorytun, and a few services installed on the VPS. The VPS script will install and configure
them for you.

MPTCP will not work on OpenVZ but you can use Glorytun UDP if TUN module is available.

Tested and working on (in alphabetical order):

Amazon AWS port range 0-65535 in UDP, TCP and ICMP must be opened (US, ZA, HK, CA, UK, BR, BH, IT, IE, DE, JP,...)
Aruba Cloud (some transfer limits) (IT, CZ, FR, DE, UK, PL)
BuyVM no transfer limit, speed limited to 1000Mb/s (US, LU)
Digital Ocean (some transfer limits) (US, NL, SG, UK, DE, CA, IN)
fastpipe.io (GERMANY) (there is some issue with the script on this provider)
Firstheberg VPS (no transfer limit, speed limited to 200Mb/s) (FR)
Google Cloud Platform port range 0-65535 in UDP, TCP and ICMP must be opened (US, CA, BR, FI, BE, UK, NL, DE, SW, TW, HK, JP, SG, AU,...)
Hetzner Transfer limit to 20TB (DE, FI)
Hosterlabs No transfer limit, speed limited to 200Mb/s with 500Mb/s burst (CA)
Hostworld no transfer limit (UK, US)
Lunanode transfer limit from 1TB to 10TB, speed limited to 100Mb/s (CA, FR)
Milkywan IPv4 option is required (No traffic limit, port speed 10Gb/s) (FR)
MVPS some SMTP limits (transfer limit from 3TB to 60TB, speed limited to 70Mb/s or 100Mb/s) (DE, FR, GR, NL, SE, UK)
OVH/Kimsufi (no transfer limit, speed limited to 100Mb/s-2Gb/s) (FR, CA, PL, DE, UK, AU, SG)
Scaleway recent VPS Virtual SSD Cloud Servers (not BareMetal SSD Cloud Servers and not Arm) with local boot enabled, all ports used by
SMTP are blocked by default, can be unblocked (No traffic limit, speed limited to 100-400Mb/s) (FR)
Sys-One (No traffic limit, speed limited to 200-500Mb/s) (FR)
Tiktalik (transfer limit 2TB, speed limited to 100Mb/s) (PL)
Vultr Cloud Compute VC2 (transfer limit, port speed 1Gb/s) some ports are blocked : https://www.vultr.com/docs/what-ports-are-blocked (US,
FR, SG, NL, UK, DE, AU, CA, JP, KR)

The VPS/server need to have the lowest latency as possible with your connections.

Should work on most x86_64 KVM VPS (you need to be able to boot from local kernel) with at least 1024Mo RAM.

Can't work with LXC VPS or in Docker (or host need to have the MPTCP patched kernel).

Work with all dedicated server.

Install/Update on Debian 10 Buster x86_64

(recommended)

If you want IPv6, configure it on the server before running the script.

Connect with SSH on your server, using ssh command under Linux or Putty under windows for example.

Then, as root:

wget -O - https://www.openmptcprouter.com/server/debian10-x86_64.sh | sh

or

wget https://www.openmptcprouter.com/server/debian10-x86_64.sh
sh debian10-x86_64.sh

This will install and configure mptcp kernel, shadowsocks, glorytun and shorewall (as firewall). Key for shadowsocks and glorytun are generated by
the script.

SSH port is changed to 65222 (TCP)

Shadowsocks port is 65101 (TCP & UDP)
Glorytun port is 65001 (TCP & UDP)

14 / 47
Install-or-update-the-VPS

OMR JSON admin is 65500 (TCP)

OpenVPN port is 65301 (TCP)
MLVPN ports are 65201-65208 (UDP)
Iperf3 on port 65400 (TCP & UDP)
DSVPN port is 65401 (TCP)
V2Ray port is 65228 (TCP)

After install, keys are saved in /root/openmptcprouter_config.txt

VPS MUST be rebooted after installation.

Install/Update on Ubuntu Server 20.04 x86_64

(Are you sure you don't want to use Debian ?)

If you want IPv6, configure it on the server before running the script.

Connect with SSH on your server, using ssh command under Linux or Putty under windows for example.

Then, as root:

wget -O - https://www.openmptcprouter.com/server/ubuntu20.04-x86_64.sh | sh

or

wget https://www.openmptcprouter.com/server/ubuntu20.04-x86_64.sh
sh ubuntu20.04-x86_64.sh

This will install and configure mptcp kernel, shadowsocks, glorytun and shorewall (as firewall). Key for shadowsocks and glorytun are generated by
the script.

SSH port is changed to 65222 (TCP)

Shadowsocks port is 65101 (TCP & UDP)
Glorytun port is 65001 (TCP & UDP)
OMR JSON admin is 65500 (TCP)
OpenVPN port is 65301 (TCP)
MLVPN ports are 65201-65208 (UDP)
Iperf3 on port 65400 (TCP & UDP)
DSVPN port is 65401 (TCP)
V2Ray port is 65228 (TCP)

After install, keys are saved in /root/openmptcprouter_config.txt

VPS MUST be rebooted after installation.

Install on Debian 9 Stretch x86_64

Script will update Debian 9 to Debian 10 on a fresh install.

Connect with SSH on your server, using ssh command under Linux or Putty under windows for example.

Then, as root:

wget -O - https://www.openmptcprouter.com/server/debian9-x86_64.sh | sh

or

wget https://www.openmptcprouter.com/server/debian9-x86_64.sh
sh debian9-x86_64.sh

This will install and configure mptcp kernel, shadowsocks, glorytun and shorewall (as firewall). Key for shadowsocks and glorytun are generated by

15 / 47
Install-or-update-the-VPS

the script.

SSH port is changed to 65222 (TCP)

Shadowsocks port is 65101 (TCP & UDP)
Glorytun port is 65001 (TCP & UDP)
OMR JSON admin is 65500 (TCP)
OpenVPN port is 65301 (TCP)
MLVPN ports are 65201-65208 (UDP)
Iperf3 on port 65400 (TCP & UDP)
DSVPN port is 65401 (TCP)

After install, keys are saved in /root/openmptcprouter_config.txt

VPS MUST be rebooted after installation.

Update
To update, you have to download and run the script again. Keys will be preserved.

Files used by script

All files available here: https://github.com/Ysurac/openmptcprouter-vps

16 / 47
Install

Install
OpenMPTCProuter need a VPS/server in a datacenter and a local router.

So install must be done in 2 parts:

Router Install
VPS/Server Install

17 / 47
OpenMPTCProuter-configuration

OpenMPTCProuter-configuration
Examples for an ADSL connection and a 4G connection.

Boxes
Disable DHCP on the ADSL box and set it to IP 192.168.10.1

Disable DHCP on the 4G router and set it to IP 192.168.11.1

You should also disable IPv6 on both box, else IPv6 traffic can use a box as output.

OpenMPTCProuter
OpenMPTCProuter web interface is accessible at http://192.168.100.1/

Default user root with empty password.

Wizard
Go to menu System -> OpenMPTCProuter -> Wizard .

Use Server IP and the key you get at end of the server install script.

As wan1 gateway set 192.168.10.1 and IP 192.168.10.2 (IPv4 netmask 255.255.255.0 )

As wan2 gateway set 192.168.11.1 and IP 192.168.11.2 (IPv4 netmask 255.255.255.0 )

Manual configuration
You should really use the wizard if you don't know what you are doing

Set wan1 to fixed IP 192.168.10.2 :

18 / 47
OpenMPTCProuter-configuration

Set wan2 to fixed IP 192.168.11.2 :

Configure shadowsocks:

19 / 47
OpenMPTCProuter-configuration

Edit
local instance and enable it, then enable shadowsocks Redir Rules:

20 / 47
OpenMPTCProuter-configuration

You can now set IP 192.168.100.1 as gateway of your clients or enable DHCP server on lan interface.

Set OpenMPTCProuter IP via SSH/Console

uci set network.lan.ipaddr='your-static-ip-address' && uci commit && reboot

21 / 47
Pi-hole

Pi-hole

Install Pi-hole on VPS

Since VPS script 0.993, to install Pi-hole on OpenMPTCProuter VPS, you have to use this script after using VPS script (this configure Pi-hole to
answer only on VPN interface): wget -O - http://www.openmptcprouter.com/server/omr-pihole.sh | sh

You can select any interface and set any IPs during Pi-hole configuration, this will be modified for OpenMPTCProuter at the end.

Don't apply Pi-hole firewall rules.

To use Pi-hole in OpenMPTCProuter, you need to 'Save & Apply' the wizard again in System->OpenMPTCProuter. Web interface will be available on
10.255.255.1 if you use Glorytun TCP, 10.255.254.1 if you use Glorytun UDP.

22 / 47
Port-forwarding-using-v2ray

Port-forwarding-using-v2ray
Add a new forward rule in Network->Firewall and configure it like this:

And in "advanced settings" tab, check the "Use V2Ray" box:

23 / 47
Port-forwarding-using-v2ray

24 / 47
Port-forwarding

Port-forwarding
You need to have a VPN set on OpenMPTCProuter (Glorytun TCP by default).

Redirect all ports from VPS to OpenMPTCProuter

This is only needed if you want to redirect all ports. You shouldn't do that.

Use the checkbox in System->OpenMPTCProuter then Advanced settings tab.

Redirect port via V2Ray reverse proxy on OpenMPTCProuter

You must have v2ray selected as proxy in System->Wizard and advanced settings checkbox.

This can only be used for TCP and/or UDP forwarding: Port forwarding using V2Ray

Redirect port via VPN on OpenMPTCProuter

Example to redirect port 80 from the VPS to the IP 192.168.100.1 on the network:

First we have to forward the port. Add a new forward rule in Network->Firewall:

Configure

25 / 47
Port-forwarding

it like this:

Port will be automatically redirected from the server to the router.

If you want to redirect to a webserver, we need SNAT here. Add a new SNAT rule:

Configure
it like this (192.168.100.16 is the destination here):

26 / 47
Debug

Debug
Check that the VPN is running in System->OpenMPTCProuter and Status tab.
Check on the VPS in /etc/shorewall/rules that rules you set are available
Check on the VPS in /etc/shorewall/params.vpn that OMR_ADDR is the router side VPN IP (10.255.255.2 for glorytun TCP, the default VPN)
Check on the router if packets are coming on port 8080 from the VPN for example: tcpdump -i tun0 port 8080

If all is ok, then packets come to the router. Set a SNAT rule if not already done else check your firewall rules.

27 / 47
Router-install

Router-install

Install from precompiled images

You can download precompiled images from https://www.openmptcprouter.com/

sysupgrade images are for upgrade, for a first installation use factory image.

For Raspberry PI 2/3/4

You don't need ethernet adapters, only a switch is enough. Modems doesn't need to be directly connected to RPI ethernet port.

Download the image, then copy it to a sdcard.

You can use etcher graphical interface available for Windows, Linux and MacOS.

You can also use this commands under Linux:

gunzip openmptcprouter-*.img.gz
dd bs=4M if=openmptcprouter-*.img of=/dev/sdX conv=fsync

The Raspberry PI is then available at ip 192.168.100.1

For Linksys WRT3200ACM/WRT32X

The build is experimental. Need more testing...

WAN/Internet port is used as LAN port and LANs ports as WANs ports.

To flash the image go to Connectivity → Manual Update and select factory image [*.img]. Once flash completes, router will reboot.

More info on OpenWrt WRT3200ACM/WRT32X support here

The Linksys WRT3200ACM/WRT32X is then available at ip 192.168.100.1

For Banana PI BPI-R2

The build is experimental. Current status: https://github.com/Ysurac/openmptcprouter/issues/180

WAN port is used as LAN port and LANs ports as WANs ports. EMMC image is not tested.

Download the image, then copy it to a sdcard.

You can use etcher graphical interface available for Windows, Linux and MacOS.

You can also use this commands under Linux:

gunzip openmptcprouter-*.img.gz
dd bs=4M if=openmptcprouter-*.img of=/dev/sdX conv=fsync

The Banana PI BPI-R2 is then available at ip 192.168.100.1

For NanoPI RS2

You don't need ethernet adapters, only a switch is enough. Modems doesn't need to be directly connected to NanoPI WAN port.

Download the image, then copy it to a sdcard.

You can use etcher graphical interface available for Windows, Linux and MacOS.

You can also use this commands under Linux:

gunzip openmptcprouter-*.img.gz
dd bs=4M if=openmptcprouter-*.img of=/dev/sdX conv=fsync

28 / 47
Update

The NanoPI is then available at ip 192.168.100.1

For Espressobin v7
Download the image, then copy it to a sdcard.

You can use etcher graphical interface available for Windows, Linux and MacOS.

You can also use this commands under Linux:

gunzip openmptcprouter-*.img.gz
dd bs=4M if=openmptcprouter-*.img of=/dev/sdX conv=fsync

The Espressobin is then available at ip 192.168.100.1

For Virtualbox
Set one interface as Server Intel PRO/1000 MT (82545EM) set to bridge with promiscous mode enabled.

For ESXI
You can find a way to use the VMware image here: https://github.com/Ysurac/openmptcprouter/issues/87

For x86 and x86_64

Image can also be copied to an HD.

You can use etcher graphical interface available for Windows, Linux and MacOS.

You can also use this commands under Linux:

gunzip openmptcprouter-*.img.gz
dd bs=4M if=openmptcprouter-*.img of=/dev/sdX conv=fsync

Update
Save the configuration System->Backup/Flash Firmware->Backup->Generate archive.

Then 2 choices:

Write the latest image on the SD card, restore the configuration System->Backup/Flash Firmware->Backup->Restore backup
Download the image (.img) then use System->Backup/Flash Firmware->Backup->Flash new firmware image (this can fail, you really should
backup your configuration).

Don't update packages via the interfaces, current packages are from OpenWRT snapshot and this can break everything.

29 / 47
Snapshots

Snapshots
You can test future releases but this can be really unstable. No support on them.

For the develop server script (same script for Debian 9/10 and Ubuntu): wget -O - http://www.openmptcprouter.com/server-test/debian10-
x86_64.sh | sh

For the develop router snapshot generated images: https://download.openmptcprouter.com/develop/

Both need to be used: the snapshot router image may need the latest server develop script.

30 / 47
Technologies

Technologies
OpenMPTCP use:

LEDE
MPTCP
shadowsocks
simple-obfs
Glorytun
unbound
nginx
ndpi-filter
MLVPN
SpeedtestC

OpenMPTCP add:

LuCI interface to Glorytun

macvlan support to luci-mod-admin-full
MPTCP support to shadowsocks-libev OpenWrt/LEDE package and LuCI interface
MPTCP support to luci-mod-admin-full
simple-obfs support to shadowsocks-libev LuCI interface
IPv6 support to shadowsocks-libev package and LuCI interface
Quota support with an interface
Connection tracker support with an interface

How this work ?

By default OpenMPTCProuter (OMR) use:

ShadowSocks-libev for TCP traffic between OMR and the VPS

Glorytun TCP for UDP and ICMP traffic Both use MPTCP to aggregate links connections.

You can use:

Glorytun UDP, it support aggregation, without the need of MPTCP

MLVPN, support also aggregation, use UDP too, so doesn't use MPTCP
OpenVPN TCP that use MPTCP (but it's slower than default configuration)

The VPS is needed to combine links connections and access Internet at full aggregated speed.

31 / 47
Tutorials

Tutorials

French
https://www.tutos-informatique.com/adsl-4g-agregation/

32 / 47
Update-RPI4-firmware

Update-RPI4-firmware
There is an issue in current 0.55.2 release (will be fixed in next release), to update firmware you have to do sed -i '/chmod/d' /usr/bin/rpi-eeprom-
update then:

Run, via SSH on the router: rpi-eeprom-update -a

If the previous command fail: rpi-eeprom-update -d -a

33 / 47
V2Ray-Shadowsocks-plugin

V2Ray-Shadowsocks-plugin
Using Nginx with v2ray plugin:

server {
listen 443 ssl;
listen [::]:443 ssl;
#server_name _;
server_name toto.com; # Your domain.
root /usr/share/nginx/html/;
ssl_certificate "/root/.acme.sh/toto.com/fullchain.cer"; # Path to certificate
ssl_certificate_key "/root/.acme.sh/toto.com/toto.com.key"; # Path to private key
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_redirect off;
proxy_http_version 1.1;
proxy_pass http://localhost:65101;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}

34 / 47
VPN-over-OpenMPTCProuter

VPN-over-OpenMPTCProuter

PPTP
PPTP VPN doesn't work over ShadowSocks, you have to bypass it, connection will be aggregated by Glorytun TCP VPN by default: Services-
>Shadowsocks-libev->Redir rules ->Destinations settings->Dst ip/net bypass.

35 / 47
VPS-Multi-IPs

VPS-Multi-IPs
Only Shadowsocks proxy is supported for now with multi IPs.

If there is multiples public IP on the VPS, in Services->Shadowsocks-libev, "Rules" tab you should see something like this:

To enable exit on 195.xx.17 for IP 192.168.100.180 in LAN, edit like this:

36 / 47
VPS-Multi-IPs

You need to enable related ss-server:

37 / 47
VPS-Multi-IPs

You also need to enable related ss-redir:

It's all, IP 192.168.100.180 now exit via 195.xx.17 (Shadowsocks is used for TCP and a gre tunnel is configured for UDP,ICMP,...)

38 / 47
_Sidebar

_Sidebar
Home

39 / 47
_Sidebar

Tutorials

40 / 47
_Sidebar

Install

Router Install/Update
VPS Install/Update

41 / 47
_Sidebar

Configuration

Minimum configuration
Port forwarding
VPN over OMR
Pi-hole on OMR VPS
Wifi
pfSense
VPS Multi IPs
Custom DNS
Block client Internet access
Disable IPv6 on Freebox OS

42 / 47
_Sidebar

FAQ
Update RPI4 firmware

43 / 47
_Sidebar

unsupported platform
Snapshots

44 / 47
_Sidebar

Technologies

45 / 47
pfSense

pfSense
To use a pfSense with OpenMPTCProuter, 2 choices :

dual NAT: not the best design but simpler, let pfSense do all the routing and NATing stuff
routing without NAT on pfSense: a little more complicated, port forwarding and NATing is only done on OMR

Dual NAT solution

On pfSense, add a WAN interface with OpenMPTCProuter as the default gateway. By default, pfSense will NAT to OpenMPTCProuter.

If you need port forwarding, in OpenMPTCProuter, redirect ports 1-64999 from vpn zone to lan zone, to pfSense WAN IP. Do the actual port
forwarding on pfSense.

No NAT solution
On pfSense, add a WAN interface with OMR as the default gateway and disable Outbound NAT. On OpenMPTCProuter, add static route(s) to your LAN
network(s).

If you need port forwarding, redirect the needed ports to the target LAN hosts on OpenMPTCProuter, then add a Pass WAN firewall rule on pfSense
to allow inbound traffic to the target host and port.

Source: https://github.com/Ysurac/openmptcprouter/issues/1132#issuecomment-672755457

46 / 47
pfSense

47 / 47