Routing from subnet does not belong to pfsense

Josifbg 0

@johnpoz I did it! I guess I did it

Here are the final changes which has to be made in pfSense:

The Outbound Rule:

And some changes to the node which is behind pfSense in Netmaker Server:

That`s it!

Thank you @johnpoz! you`ve made my day :)

johnpoz

@josifbg-0 so working for you - did you change the port, your posting showing the 192 box using 51821, but what you posted shows port 51825?

Josifbg 0

@johnpoz Yes, the port is changed everywhere.

johnpoz

@josifbg-0 glad you got it sorted not a fan really of such methods. If they want to whole punch that is fine - but there is little reason to require a specific source port - just use the port the device talked you from. This allows for napt.. But if you know what the listen port is - you don't have to use hole punching, could just port forward those ports on the different locations.

Josifbg 0

@johnpoz Well the main reason for hole punching is that the port can be dynamic and the second reason is not to open any ports on your router.

This way you are able to securely create private tunnels between sites without opening any ports on your router.

johnpoz

@josifbg-0 said in Routing from subnet does not belong to pfsense:

hole punching is that the port can be dynamic

Not when the router does napt and changes the source port - that is my point.. There is no reason for the place your talking to can't just use the port it got traffic from to hole punch back.. As in your example the client behind pfsense used port 51821, but pfsense changed that port using napt to 13355 etc.. The whole punch would of worked if the answer would of came in on that port, etc.

moussa854

@josifbg-0 Sorry for the late reply. I tried to replicate your setting but for some reason it did not work for me. Hope this may help others. Other user told me in the past to set the netmaker server as a relay for all of the other nodes. After doing so, you do not have to make any changes to pfsense but still able to ping and SSH to all nodes.

Firewall >> NAT >> Outbound >> automatic

No special rule in the firewall

At the Netmaker, the server node is a Relay
Done

Now I can access my home and work wherever I am at without opening any port and doing NAT'ing

johnpoz

@moussa854 said in Routing from subnet does not belong to pfsense:

netmaker server as a relay for all of the other nodes

In that mode all traffic would go through the tunnels the clients have setup.. No hole punching would be used.

moussa854

Thank you, I tested it with no hole punching and I am still able to ping all nodes. I fixed my post. Thanks @johnpoz

falexbr

@moussa854 I came to the same problem and after a lot of trial and error I found out that in order to UDP hole punch to work with pfsense you need to set Static Port on NAT outbound.
From the menu Firewall > NAT > Outbound select Mode = Manual and edit the auto created rule LAN to WAN and set static port.
Now everything should work ;)