pfsense blocking traffic from outside network
-
hello i have setup open vpn ... its working from local PC so i know the setup is ok for VPN side
i opend ports on my ISP router and create a webserver just to prove the port is open....
this i created on a machine not connected to pfsense ... i was able to get throw with telnet X.X.X.X 1196now i am trying to redircet traffic to my pfsense box VPN
- i have a rule created by the wiz
- when i telnet to other port not opend it will imdditly close, but when i try my open(isp) port it will take some time
- i have firewall logs saying that PFSENSE is blcking traffic from the ip i am trying
this is me trying to telnet to the machine
i am not able to understand where is the issue
how can i move fowerd here ?
-
@aihysp 100.125 is a carrier grade nat range, 100.64/10 yes that would be listed in bogon.
You would need to remove the block bogon rule if that is the source of your traffic that is being forwarded to you.
-
Hi thanks it helped sort of...
from local network inside PFsense i can telnet home67street.ddns.net 1196 (my ddns configred in my router )but outside traffic is still getting blocked but now i cannot see anything related in the firewall logs
or just dont understand it :)
pelase help!!
-
@aihysp what rules do you have on your wan? If your not logging default deny, or other rules then no you wouldn't see any traffic.
Not sure how you expect something to access you if your behind a carrier grade nat, your block rules before were to a rfc1918 address from a carrier grade nat address - neither of which will work across the public internet for routing.
;; ANSWER SECTION: home67street.ddns.net. 3600 IN A 100.125.20.250Nobody could get to that from the public internet - its a CGnat address, which do not route across the public internet..
Any IP address 100.64.x.x to 100.127.x.x is not something anyone can get to that is not part of that network space.. Its used by isps like rfc1918 is used in your home 192.168.x.x, 172.16-31.x.x, 10.x.x.x etc..
-
Hello again ...
my lan rules when you asked
i see there is an option to disable this RFC block
but still i cannot acsses ...
for the other part, i am not a network expert by no means ... but i did have OPEN VPN working for me on my last ISP
what can i do?can anything be done on router level? or i need to ask my isp for somthing ?
please explain in more noob terms :)and again thanks allot!!!
-
@aihysp said in pfsense blocking traffic from outside network:
but still i cannot acsses ...
Again nobody from the public internet is going to be able to access a 100.64-127 address.. It does not route across the public internet.. Its a special address used by ISPs when they do not have enough public IPs to give to their customers..
Did you setup something special with your isp to forward traffic to some public IP to your cgnat/rfc1918 address.. While that could be possible it sure wouldn't work with your ddns you have setup because that points to a CGnat IP..
If your isp is not providing you with a public IP, then you would have to get with them if they can forward ports to your cgnat/rfc1918 address.. Or get them to give you a public IP, most likely for an added cost.
-
@johnpoz
ok so of i understand you... my only chance is,to talk to to my isp ,to give me some kind of other IP system...(this will be hard)i have this DDNS setup on my router ... it will give me 100.125.20.250
and i have this on findmyip.blabla
so from what i understand non of this is usable ? outside my network?
-
@aihysp so yes when isp gives you a cgnat or rfc1918 address, they have to route your traffic through some public IP or you wouldn't be able to talk to anything on the internet. This is the ip you see when you go to say whats my ip . com or the like.. They see the public IP you talked to them from.
But for your pfsense wan to see unsolicited inbound traffic, ie a vpn connection to you while say your out and about in the world. You would have to have some public IP to connect to, that is either already open to the internet (public IP on your pfsense wan) or that the own of said public IP (isp) knows that hey if see traffic to this IP on port xyz, send it to aihysp cgnat/rfc1918 address we gave him..
-
thank you so much!!!
-
ok so my ISP opend up my NAT i able to connect to the VPN by the DDNS adress configred on the router!!!
one more Q... i am using openvpn... lets say i want to pay and use somnthing like expressvpn, will i get faster speeds ?
or it depends on my ISP speeds?also can somthing like expressVPN do a tunel to a network?
https://techrobot.com/how-to-set-up-and-use-expressvpn-on-pfsense/from all the latest VPNs(nordVPN , all paid ones) are advrtised to watch netflix? and stuff
my Q , do thay still funcation as a vpn , or just a fancy tunel out of your host... -
@aihysp those services are a vpn, a vpn is really just an encrypted tunnel.
I am not aware of those 2 supporting inbound traffic through the vpn. But there prob is some services that provide that service.
As to speed through a vpn - yeah not very likely that you would see any sort of speed increase - more likely to see a pretty drastic hit on performance if anything..
As to circumventing geo restrictions to watch services like netflix, etc. While sure that might work for a while, at some point they will prob block whatever IP range your using for the vpn, and have to change to a different pop or even vpn service. Your going to be playing wack-a-mole for sure with that sort of circumvention.. It might work for hours, it might work for days or weeks, or shoot it might work for a year, etc. But more than likely they at some point will block the IP your coming from via a vpn..
