openVPN - WAN-IP -> Portforwarding -> openVPN Tunnel

mako

dear community,

i am using currently 2 pfsense firewalls. normal configured like that:

FW - A:
WAN-IP: x.x.x213
LAN-IP: 192.168.88.0/24

FW - B:
WAN-IP: x.x.x.114
LAN-IP: 192.168.99.0/24

Now i can ping from FW - A the Subnet 192.168.99.0/24 and from FW -B the Subnet 192.168.88.0/24.

Now i has tried to add a portforwarding on FW A like that:
WAN-IP:1111 -> 192.168.99.100:1111

for testing purposes i have added the openvpn rule to * ANY on both sites.

when i try now accessing WAN-IP:1111, then i get no response from server 192.168.99.100:1111
but internal from FW-A i can ping normaly the server ip 192.168.99.100.

can anybody tells me how i can configure my firewalls that i get this working?

thank you so much for your help!

many greets markus

viragomann

@mako
At site B (the destination of the forwarding) you have to assign an interface to the OpenVPN instance in Interfaces > Assignments.
Select the instance (e.g. ovpnc1), hit Add and enable it. State a friendly name if you want.

Then go to Firewall > Rules > OpenVPN, edit the default rule and change the interface to the new VPN instance interface.

Ensure that there is no rule on the OpenVPN tab or a floating rule matching the forwarded traffic!
If you are running further OpenVPN instances, either also assign interface to them, where you can define the rules you need, or limit the source or destination in the OpenVPN rules so that they don't match the forwarded traffic from A.

mako

@viragomann

Thank you so much for your help. this is working great.
can i only ask why this is now working or whats the reason to add the openVPN instance to the interfaces assignments?

thank you!

viragomann

@mako
By default, pfSense routes the response traffic from the server according to its routing table, i.e. to the default gateway, which is probably the WAN gateway. However, for proper routing it is required, that the response packets go back to site A.

Proper routing can be achieved in pfSense with the reply-to tag though. The reply-to tagging for a connection happens by the firewall rule, which passes the initial incoming (request) packet. It's required that the interface, where the responsible pass rule is defined on is unique and that it has a gateway assigned.

The OpenVPN tab is an interface group in fact, however, which includes all OpenVPN instances running on pfSense. It is implicitly created by pfSense, when you fire up your first OpenVPN instance.
However, since the interface is not unique for traffic matching rules on this interface group, the connection cannot be tagged with the reply-to. The same is true for floating rules, since these can also be applied to multiple interfaces.
And you have to know, that rules on interface groups and floating rules have precedence over interface rules.

mako

@viragomann
Thank you so much for your reply. now i understand it. thank you for the exact informations!

many greets markus