[Solved] Port forward across OVPN tunnel not working
-
I've been spinning my wheels on this for many hours and hope someone might have an idea of what I'm doing wrong here.
Here is what I am trying to accomplish:
I have a pfSense 2.3.3 Linode instance running that I would like to have function as a front-end/gateway to an email server on my internal network.
I have an OVPN tunnel established between the Linode and my edge router (also running 2.3.3).
I have port forwarded all ports from the WAN of the Linode to the Mail server.
I have created a LAN rule that does policy routing of all traffic from the Mail server over the tunnel and out the Linode.
I can send traffic from the Mail server over the tunnel and out the Linode, no problem.
Inbound traffic to the Linode gets to the Mail server and the Mail server replies (I can see the traffic with TCPDump).
A packet capture on the LAN of the edge router shows the traffic to the Mail server and the traffic back.
A packet capture on the OVPN interface shows the traffic coming from the Linode, but no return traffic.
It would seem that the traffic returning from the Mail server is not getting processed by the LAN firewall rule that is doing the policy based routing - although this rule works with traffic generated by the Mail server.
The traffic does not show up in any way in the firewall logs - so if it is being dropped by the firewall, the firewall is not logging the drops.
I tried enabing "sloppy state" on the LAN firewall rule - even though I don't think this is creating an asymmetrical routing issue.
I'm completely stumped. I can't even figure out how to troubleshoot any further.
Any help or thoughts would be much appreciated.
-
I solved this issue and will document what I figured out in case others have this issue. I hope that I have the details correct here. Please correct me if I am mis-stating or misunderstanding something.
I was on the track with thinking this needed some sort of policy routing to get the traffic back to the Linode WAN. The actual problem was that the reply-to mechanism was not getting triggered in order to ensure that the traffic flowed back on the same path it came from. In order for the reply-to to work properly, the traffic must flow through an Interface firewall rule - not a Group or Floating firewall rule. The key here is to create an Interface for the OVPN tunnel on each end. Then create firewall rules on the Interface tab that allow the needed traffic. It is important that there are no Group (OpenVPN tab in the Firewall -> Rules page) or Floating rules that match the traffic, as these rules will match before the Interface rules and take precedent - Group and Floating rules DO NOT activate the reply-to mechanism in PF. For my setup - I created an "allow all" rule in the created OVPN Interface tab and removed all rules from the OpenVPN Group rules tab. WIth this configuration, traffic flows over the VPN and returns on the same path and everything works as expected.
-
That pretty much sums it up.