pfSense NAT rule to another pfSense

Bob.Dig

@lcs What VPN. Form where is that screenshot. Why is that disabled.

lcs

@Bob-Dig OpenVPN.
It is disabled, because it's not working and there's no point to be active as of now.
This NAT rule is on the VPS firewall

Bob.Dig

@lcs said in pfSense NAT rule to another pfSense:

Not sure what's going on and why. I have some concerns regarding asymmetric traffic, because from the traffic logs I see the mail server is trying to talk back to the port test website directly, and not via the VPS for some reason.

I would create a local rule which forces traffic towards port 25 out the VPN-Gateway.

viragomann

@lcs
On your home pfSense you have to assign an interface to the OpenVPN instance.

Then go to Firewall > rules > OpenVPN, edit the pass rule and change the interface to the new instance interface.

There must no pass rule on the OpenVPN tab match the incoming traffic from the VPS!
If you're running further OpenVPN instances either limit the pass rules to the respective source IP ranges (e.g. tunnel network if applicable) or as well assign interfaces to the other instances and define your rules on the respective interface tab.

lcs

@viragomann I have an interface for the OpenVPN and I have a pass rule.
I've mentioned in the first post, all resources accessible.
When I do Diagnostics -> Test Port from the VPS to the local pfSense I can see the port open and accessible.
But I cannot access the port from outside.

viragomann

@lcs said in pfSense NAT rule to another pfSense:

I have an interface for the OpenVPN and I have a pass rule.

Can you show it, please?

Remove or disable the SMTP port forwarding on WAN if you didn't this already.

Edit the pass rule and enable logging. Try to access your SMTP then and post the firewall log.

I've mentioned in the first post, all resources accessible.

Did not doubt on this.

lcs

@viragomann From the VPS via the VPN Tunnel to the mail server

NAT Rule on the VPS

OpenVPN Allow rule on the pfSense.local

Local rule forwaring the outbound traffic to the VPS

When doing an external port test:
on the VPS I see hits

On the packet CAP

On the local pfSense I also see hits, but from the IP of the port test website, not the VPS firewall

And the packet cap from the local firewall

viragomann

@lcs
I instructed you to remove all matching rules from the OpenVPN tab on the home pfSense. The communication would not work, if any pass rule there is matching the forwarded traffic!

lcs

@viragomann You are correct. If there's a matching rule it's not working.
Why is that ?
When I disabled the matching rules it started working as expected.

viragomann

@lcs
With the forwarding from the VPS you have incoming traffic from public sources on a non-default gateway. So responses from your SMTP server have to be directed back to the VPS.

To achieve this, pfSense can tag incoming traffic with the "reply-to" (gateway). This is done by the filter rule, which allow the traffic in. Without this traffic would be sent out to the default gateway.
However, to apply the reply-to tag, pfSense has know, which gateway to reply for plausible reasons. pfSense use the the gateway, which is assigned to the interface, which the rule is defined on.
But OpenVPN is not a certain interface, it is an interface group indeed, including all OpenVPN instances. And firewall rules on interface groups have priority over rule on member interface. Therefore such rule are probed first.

lcs

@viragomann Thanks for the clarification.