OpenVPN: Log and port forward question
-
Hi Nachtfalke,
I will do some more test tomorrow evening with the 2nd rule, but I've tested this and I'm sure that if the VPN went down, my clients connected to the Internet using the WAN port.
Thanks for the "hint" on rule 3…. ;)
I've tested the 4th rule, and can confirm that it works as expected and I'm browsing with the VPN IP rather my "local" one.
Thanks also for the DMZ Idea, I might use this too.I hope someone else is able to guide me on the Portforwarding using VPN too.
Also, I would be keen to understand why the entrys in the logs are appearing.Thanks
-
When I took another look on the firewall logs it came up to my mind:
http://doc.pfsense.org/index.php/What_are_TCP_Flags%3FThe rules blocked only show "FIN" packets. In general this are packets which are sent to tell the sender that the connection can be closed. Depending on how long the firewall keeps a state alive it can happen that an application sends a "FIN" packet to the sender but the firewall still closed this connection because of a timeout and no traffic for this connection.
When you search the forum you probably will find some other threads where people are talking about such a behaviour and it seems to be absolutly normal behaviour of a so called "statefull firewall" what pfsense is.
Found something:
http://forum.pfsense.org/index.php?topic=39960.0So nothing to worry about and the explanation above seems to be the solution why you did not notice any problems on your android phones.
PS:
Are you using PPPoE on pfsense or do you do PPPoE on your FritzBox?
The suggestion with DMZ and so on depens on the fact that PPPoE is done on your FritzBox and pfsense WAN interface gets its IP by DHCP or static from your FritzBox. -
Brilliant. I wasn't too sure what to search for, but this explains it exactly. I've also understood that there is nothing much I could do about it. I just wanted to make sure that my system is running smoothly. Thank you verry much for your Support !
Yes the FritzBox is doing PPPoE (VDSL) currently as I'm sharing my Internet connection with someone. And he needs the VOIP bit on the box so I can't easily replace it. Also, I would need to buy a new Modem, so I leave it as it is for now.
I'm in "testing Mode" with this server anyway, I wanted to so some testings with a full encrypted Internet connecting. So far its running pretty good.I just need someone to help/explain me that port forwarding bit.
As said, I'm running a (2nd) SIP box in my network (1st one on the firtzbox) and when I had this connected to the fritzbox I needed to do port forwarding. Now with pfSense and the VPN this wasn't required. So I want to know what I need to do to reach my media Server as well. -
http://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense%3F
I suppose you setup your FritzBox to allow all ports to pfsense (DMZ Host" or "Unrestricted host":
pfsense:
firewall –> NAT --> PortForward
Protocol: UDP (or whatever)
Interface: WAN
Source IP: any (this is the IP of any computer on the internet - almost always any)
Source-Port: any (this is the Port of a computer on the internet - almost always any)
Destination-IP: WAN address (this is your pfsense WAN address because the FritzBox forwarded this traffic already)
Destination-Port: 12345 (the port your media server listen to)
Redirect-IP: 192.168.100.20 (the LAN IP address of your media server on your LAN)
Redirect-Port: 12345 (the port your media server listen to)This NAT rule can automatically create a firewall rule for this portforwarding what I would suggest.
Then check that this firewall rule is placed on top of all other rules on your pfsense WAN interface.Remember:
Outgoing traffic - from your LAN to www - will be done by your LAN firewall rules. You pointed it to your VPNGW. That is ok.
Incoming traffic will probably come from somewhere on the www and connects to your WAN interface - your original IP. So you must set Firewall rules on the WAN interface.So even if you blocked outgoing traffic to user your original WAN connection it is possible to get incoming connections through this IP.
But make sure that the connection to your media server on the web is encrypted and password protected. In such cases I would suggest to install an OpenVPN Server on pfsense and then connect from the www to your LAN/media server through this VPN tunnel. OpenVPN clients are available for Windows, Linux, Unis, Android, iOS, MacOS X -
Hi,
this is my current workaround, and it seems to work fine, but I want to route all traffic trough the tunnel. In and Out.
Sadly, with this setup, the traffic is not routed trough the VPN.
-
Then you probably have to do PortForwarding on the OpenVPN interface.
Anf of course the client on the internet which should connect to the media server needs to connect to the VPNs IP address.So it is the same as on WAN but you need to use the VPNs interface and IP address and so on.
-
Like this ?
Does not seem to work. Need to check it a bit later from home to see if the IP has changed, but I can't access the Server trough the Tunnel.
-
I never configured such a scenarion but in general it looks ok.
When copnnecting to the media server. Did you use the VPNs public IP?
And perhaps configured on the "wrong" VPN interface. Not sure which tab is the correct one. -
This did not do it, and yes I'm using the VPN's public IP.
I did one port forward for every Interface, so this should work now. -
I think I got it together. Will need to check tomorrow.
Issue was that the VPN server I was connected to did not had Port Forwarding enabled. Seems I had the wrong IP :(
-
@Satras:
I think I got it together. Will need to check tomorrow.
Issue was that the VPN server I was connected to did not had Port Forwarding enabled. Seems I had the wrong IP :(
So did you need to enable portforwarduing on OpenVPN interface on pfsense or just on the foreign VPN?
-
This is how I did it now.
I might be able to remove the forward on the OpenVPN Adapter I guess, just need to do some more tests with this.
Thank you very much for helping me with this.
Edit:
I did some cleanup. Only the 3rd rule was needed. -
Thank you for your feedback :)