OpenVPN: Log and port forward question

A Former User

Brilliant. I wasn't too sure what to search for, but this explains it exactly. I've also understood that there is nothing much I could do about it. I just wanted to make sure that my system is running smoothly. Thank you verry much for your Support !

Yes the FritzBox is doing PPPoE (VDSL) currently as I'm sharing my Internet connection with someone. And he needs the VOIP bit on the box so I can't easily replace it. Also, I would need to buy a new Modem, so I leave it as it is for now.
I'm in "testing Mode" with this server anyway, I wanted to so some testings with a full encrypted Internet connecting. So far its running pretty good.

I just need someone to help/explain me that port forwarding bit.
As said, I'm running a (2nd) SIP box in my network (1st one on the firtzbox) and when I had this connected to the fritzbox I needed to do port forwarding. Now with pfSense and the VPN this wasn't required. So I want to know what I need to do to reach my media Server as well.

Nachtfalke

http://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense%3F

I suppose you setup your FritzBox to allow all ports to pfsense (DMZ Host" or "Unrestricted host":

pfsense:
firewall –> NAT --> PortForward
Protocol: UDP (or whatever)
Interface: WAN
Source IP: any (this is the IP of any computer on the internet - almost always any)
Source-Port: any (this is the Port of a computer on the internet - almost always any)
Destination-IP: WAN address (this is your pfsense WAN address because the FritzBox forwarded this traffic already)
Destination-Port: 12345 (the port your media server listen to)
Redirect-IP: 192.168.100.20 (the LAN IP address of your media server on your LAN)
Redirect-Port: 12345 (the port your media server listen to)

This NAT rule can automatically create a firewall rule for this portforwarding what I would suggest.
Then check that this firewall rule is placed on top of all other rules on your pfsense WAN interface.

Remember:
Outgoing traffic - from your LAN to www - will be done by your LAN firewall rules. You pointed it to your VPNGW. That is ok.
Incoming traffic will probably come from somewhere on the www and connects to your WAN interface - your original IP. So you must set Firewall rules on the WAN interface.

So even if you blocked outgoing traffic to user your original WAN connection it is possible to get incoming connections through this IP.
But make sure that the connection to your media server on the web is encrypted and password protected. In such cases I would suggest to install an OpenVPN Server on pfsense and then connect from the www to your LAN/media server through this VPN tunnel. OpenVPN clients are available for Windows, Linux, Unis, Android, iOS, MacOS X

A Former User

Hi,

this is my current workaround, and it seems to work fine, but I want to route all traffic trough the tunnel. In and Out.

Sadly, with this setup, the traffic is not routed trough the VPN.

Nachtfalke

Then you probably have to do PortForwarding on the OpenVPN interface.
Anf of course the client on the internet which should connect to the media server needs to connect to the VPNs IP address.

So it is the same as on WAN but you need to use the VPNs interface and IP address and so on.

A Former User

Like this ?

Does not seem to work. Need to check it a bit later from home to see if the IP has changed, but I can't access the Server trough the Tunnel.

Nachtfalke

I never configured such a scenarion but in general it looks ok.

When copnnecting to the media server. Did you use the VPNs public IP?
And perhaps configured on the "wrong" VPN interface. Not sure which tab is the correct one.

A Former User

This did not do it, and yes I'm using the VPN's public IP.
I did one port forward for every Interface, so this should work now.

A Former User

I think I got it together. Will need to check tomorrow.

Issue was that the VPN server I was connected to did not had Port Forwarding enabled. Seems I had the wrong IP :(

Nachtfalke

@Satras:

I think I got it together. Will need to check tomorrow.

Issue was that the VPN server I was connected to did not had Port Forwarding enabled. Seems I had the wrong IP :(

So did you need to enable portforwarduing on OpenVPN interface on pfsense or just on the foreign VPN?

A Former User

This is how I did it now.

I might be able to remove the forward on the OpenVPN Adapter I guess, just need to do some more tests with this.

Thank you very much for helping me with this.

Edit:
I did some cleanup. Only the 3rd rule was needed.

Nachtfalke

Thank you for your feedback :)