Attempting to port forward with an OpenVPN client [SOLVED]

esde

I did not see an option to enable logging for this specific rule.

Also, wallabybob, yes the server is configured to listen on 8462. I just changed the default RDP port, when I am able to see an open port I can connect via RDP no problem. The port is just not showing as open for the VPN IP:Forwarded Port. :-\

Just to clarify on the last sentence, if I take out the pfSense router and replace it with my old dd-wrt router with 8462 forwarded through the VPN with iptables, the port will show open and I can connect via RDP. So the workstation/server (whatever term you prefer) that I'm trying to connect to is properly configured to accept connections. It seems the problem is definitely in the routing on the pfSense box.

![2013-04-28 09_24_51-pfsense.png_thumb](/public/imported_attachments/1/2013-04-28 09_24_51-pfsense.png_thumb)
![2013-04-28 09_24_51-pfsense.png](/public/imported_attachments/1/2013-04-28 09_24_51-pfsense.png)
![2013-04-28 17_28_29-pfsense.esdehome - Firewall_ Rules.png_thumb](/public/imported_attachments/1/2013-04-28 17_28_29-pfsense.esdehome - Firewall_ Rules.png_thumb)
![2013-04-28 17_28_29-pfsense.esdehome - Firewall_ Rules.png](/public/imported_attachments/1/2013-04-28 17_28_29-pfsense.esdehome - Firewall_ Rules.png)

wallabybob

I suspect your firewall rule for port 8462 is wrong but I don't know enough about your configuration. If you re really doing port forwarding (rather than routing) then the destination IP address in an incoming (on the WAN interface) connection to your server won't have a destination IP address = the server address, the destination IP address will probably be the WAN interface IP address.

Further, the destination address in the rule is a private IP address so it will match the first rule and hence will be blocked.

chpalmer

I did not see an option to enable logging for this specific rule.

Look at my example above. The arrow points to the logging which is found on the firewall rule.

I suspect your firewall rule for port 8462 is wrong but I don't know enough about your configuration. If you re really doing port forwarding (rather than routing) then the destination IP address in an incoming (on the WAN interface) connection to your server won't have a destination IP address = the server address, the destination IP address will probably be the WAN interface IP address.

Further, the destination address in the rule is a private IP address so it will match the first rule and hence will be blocked.

When you do a port forward- that is the way the associated rule is written by the box. Works here.

chpalmer

Ive got a feeling that on your WAN rule that the Gateway needs to be associated with the VPN but logging will help to see if anything is making it.

wallabybob

@chpalmer:

When you do a port forward- that is the way the associated rule is written by the box. Works here.

Yes, you are correct. My mistake

But then, won't first firewall rule on the WAN interface block the (attempted) port forward?

chpalmer

@wallabybob:

@chpalmer:

When you do a port forward- that is the way the associated rule is written by the box. Works here.

Yes, you are correct. My mistake

But then, won't first firewall rule on the WAN interface block the (attempted) port forward?

I see what your saying.. Doesn't affect me here. I think that means initiated from a private network…

thermo

Don't do the Port Forward on the WAN, place it on the StrongVPN interface as incoming traffic on the public vpn IP address will 'appear' on your strong VPN interface which is where you also need to place an allow rule.

esde

@thermo:

Don't do the Port Forward on the WAN, place it on the StrongVPN interface as incoming traffic on the public vpn IP address will 'appear' on your strong VPN interface which is where you also need to place an allow rule.

Thank you sir, for your time and help!!! The port is now forwarded!!! ;D ;D ;D

Also, thank you to chpalmer and and wallabybob!!!

chpalmer

Don't do the Port Forward on the WAN, place it on the StrongVPN interface as incoming traffic on the public vpn IP address will 'appear' on your strong VPN interface which is where you also need to place an allow rule.

Of coarse! ::) (hanging head in shame)

Awsome- glad you got it going! And thanks Thermo! :)

wallabybob

@chpalmer:

Don't do the Port Forward on the WAN, place it on the StrongVPN interface as incoming traffic on the public vpn IP address will 'appear' on your strong VPN interface which is where you also need to place an allow rule.

Of coarse! ::) (hanging head in shame)

You weren't the only one. I thought since the port forward was on the WAN it must be a new problem. Details!

chpalmer

The actual interface is the VPN so the rule applies there.

Even though its a WAN connection the VPN passes through it and is therefore encrypted.