General questions

deanfourie

@gertjan It is a cloud connection, with a cloud "connector" usually I can ping this connector and use it as a DNS server.

Without the OVPN interface, the client connects to OVPN cloud connector and I am able to use it as a DNS server, reach other clients connected to the same connector and they can reach my pfsense LAN after I created a firewall rule to allow all TCP inbound on the openvpn cloud interface (this is one that is created by default, not created in the assignments).

But when I try to create a OVPN interface in Interfaces / Assignments, everything stops in terms of VPN traffic. Cannot reach out and nothing can reach in.

Then after creating this Interface for OVPN, I go to firewall rules and now I see two OepnVPN interfaces, one is the default one that is created when the connection is established and one is the interface I created in assignments.

You follow my flow haha

deanfourie

Here is a shot of my setup without the interface setup

deanfourie

@gertjan said in General questions:

@deanfourie said in General questions:

So first q, where can I find all active NAT translations or Port Translations like a NAT table?

Here :

@deanfourie said in General questions:

And lastly, I have pfSense connected as a OVPN client to OVPN, but when binding OVPN to a new interface under interface / assignments, I cannot reach any clients on the VPN anymore.

Explain 'reach'.
Your pfSense is an OpenVPN client, so your pfSense connects to an off site OpenVPN server.
It could be the admin of that OpenVPN server that admittedly forbids inter client communication.

new interface under interface / assignments,

using what rules ?

@deanfourie said in General questions:

there is a default binding created under the firewall rules section called "OpenVPN"

The OpenVPN client doesn't create any rules. hat is created under "rules" ? What interface ? What rule ?

I dont see any translation table here. I can only see where to configure NAT here but cannot see any active mappings?

Gertjan

@deanfourie said in General questions:

Here is a shot of my setup without the interface setup

Your image is not what you said :

@deanfourie said in General questions:

I created a firewall rule to allow all TCP

Your firewall rule accepts all protocols. There is more (way more) as just "TCP".
Just TCP would be very problematic.

As your rule shows, it is used :

so all incoming traffic passes by this rules, and as everything matches, it is not that rule that has an issue.

Check your DNS server - the one in the cloud.
Is it aware of your local clients ? How does it know about the local devices and Ip addresses ?
When you connect to this cloud thing, from there, can you 'ping a device on your LAN ? Resolve a device that is on your LAN(s) ?

@deanfourie said in General questions:

I dont see any translation table here

Means you have no NAT rules.

deanfourie

@gertjan Yea sorry, my bad not just TCP but all traffic.

So, my problem is only when I create a interface binding that everything goes downhill. If I leave it with the default interface binding then everything is fine but I am limited as I cant see the default interface in all functions, that why I want to create a new binding.

So, now I go to interface / assignments and assign ovpnc1 to a new interface, lets say OVPNTEST save it, and enable the interface. Everything grinds to a halt. I dont really even know where to start problem solving on this one as its not firewall related I dont think.

Also, regarding NAT, I have 20 odd interface LAN clients connecting to the internet, there has to be NAT entries. Maybe I should say something more like PAT entries for the port translations.

johnpoz

@deanfourie said in General questions:

Maybe I should say something more like PAT entries for the port translations.

They are in in the state table.

You can see where my client 192.168.7.99 talking to 54.87.189.215:2350 was natted, or correctly NAPT (Network Address Port Translation).. it was changed to my public IP using different source port 27449 vs the original 59297.

When you created the new interface did you put rule on it? this opvntest

stephenw10

Yup that. There is no separate table for translation states they are created by pf as part of the state table.

When you assign or unassign an OpenVPN interface you must restart the OpenVPN service. No traffic will flow until you do.

Steve

deanfourie

@johnpoz I can't see this anywhere? Where is this table located in pfSense?

I have checked everywhere under NAT and I have no such entries. Why could this be?

That's what I'm looking for

Cheers

stephenw10

The state table is in Diag > States.

deanfourie

@stephenw10 ahhh thank you! I have found it now. That's what I'm looking for.

Will try the ovpn interface again and restart the service when I am home.

Thanks for the help guys!

deanfourie

Quick question is there anyway to add that (diag >> states) to the pfSense Dashboard?

Thanks

stephenw10

There is no states widget, no. Many systems have millions of states at any one time which would be difficult to accommodate.

deanfourie

@stephenw10 very true. Thank you anyway