Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall issue with OpenVPN

    OpenVPN
    2
    5
    1.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      Mad Professor
      last edited by

      I'm having a tiny problem.

      I did the wizard and got everything up and it created the rules, so I tried from my android phone using a .ovpn profile generated from the client export package.
      But it can't connect.
      Did a port scan, 1194 not responding, tried different port 34447 and edited the firewall rules. Still not responding.
      Taking a look at my firewall logs I can see the packets but it's going to a video phone on the dmz which has 1:1 NAT firewall rule, which then pfsense blocks.

      So how can I get 1194/34447 to come to the wan interface instead of going down the 1:1 nat device?

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        It's possible to natting OVPN also. So you can try to set a NAT rule for OVPN port directing it to LAN address and set the OVPN server listen on LAN.

        If that doesn't work drop your 1:1 NAT and set port forwarding rules instead.

        1 Reply Last reply Reply Quote 0
        • M
          Mad Professor
          last edited by

          Getting rid of 1:1 Nat is not an option, these devices from sorenson use random inbound ports for some weird reason, even with all the documented ports being open, incoming video feeds were blocked by pfsense, I had to do it a different way in 1.2.3 and when 2.1 came with 1:1 it was a god send.

          But your solution to change the opvn to lan side worked.
          I deleted all the rules for opvn and set a nat rule.
          Now I want to make sure I didn't expose my network or the firewall itself accidentally, so just to confirm in firewall rules.

          Lan tab (automatically created by the opvn wizard.)

          
Proto 	Source 	Port 	Destination 	Port 	Gateway
IPv4  	  * 	  * 	LAN address 	34447 	*
UDP

          Wan Tab (created by the nat rule)

          
IPv4 	* 	* 	192.168.0.1 	34447 	*
UDP 

          NAT Port Forward.

          
If 	       Proto 	Src. addr 	Src. ports 	Dest. addr 	Dest. ports 	NAT IP 	NAT Ports 	
WAN 	       UDP      *                  * 	      WAN address 	34447 	   192.168.0.1 	34447

          Is this correct?

          Any adjustment I need to make?

          1 Reply Last reply Reply Quote 0
          • V
            viragomann
            last edited by

            That would be okay.

            The only port forwarded to you LAN side is 34447 and here is your OpenVPN server listening and handles incoming packets.

            However, if you are in doubt about route VPN to LAN you may take any other interface. With DMZ it would work just as well.

            1 Reply Last reply Reply Quote 0
            • M
              Mad Professor
              last edited by

              wunderbar!

              Yeah, I have a few other rules but they were created from NAT, and DMZ rules were created by me guided by the pfsense community.
              The only rules in Lan tab is the anti-lockout rule and the default Lan rule.

              Now all I have to do is update pfsense to 2.1.2 tonight and hopefully no surprises.

              Thank you so much.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.