Port forwarding help needed from Wolf666
-
Rules on OpenVPN tab don't match traffic in question.
I have no rules on OpenVPN tab. The only rules are on AIRVPN_WAN tab and VPN tab (VPN is the name of the former interface OPT1) and the others related to WAN and LAN (at this stage DMZ interface, former OPT2, is off) to allow clear-internet and client subnet communication.
I followed these steps (brilliantly explained in https://airvpn.org/topic/11245-how-to-set-up-pfsense-21-for-airvpn/ ) :
1 - I assigned the interface AIRVPN_WAN to ovpnc()
2 - Created Gateway:Interface = [AirVPN_WAN ▼]
Address Family = [IPv4 ▼]
Name = [✎ AirVPN_WAN]
Gateway = [dynamic]
Default Gateway = [] (UNCHECKED)
Disable Gateway Monitoring = []
Monitor IP = [10.4.0.1]
Advanced = Unchanged
Description = [✎ AirVPN_WAN Gateway]3 - Created Outbound Nat in order to route all traffic initiated in interface VPN (subnet 192.168.2.0/24) to use gateway AIRVPN_WAN
D
(unchecked)
Interface = [ AirVPN_WAN ▼]
Protocol = [ Any ▼]
Source = Type: [ Network ▼]
Address: [ 192.168.2.0 ] / [ 24 ▼]
Source port: [_____] (empty/blank)
Destination: Type = [ Any ▼]
Translation: Address = [ Interface Address ]
Description = [ AirVPN_LAN -> AirVPN_WAN ]4 - Created some firewall rules to avoid DNS Leak and pass VPN LAN traffic.
Action = [ Block ▼]
Disabled = [] Disable this rule (UNCHECKED)
Interface = [VPN ▼]
TCP/IP Version = [IPv4 ▼]
Protocol = [TCP/UDP ▼]
Source = [] Not (UNCHECKED)
Type: [ Any ▼]
Address: [______] (BLANK)
Destination = [
] Not (CHECKED)
Type: [ Single host or alias ▼]
Address: [10.4.0.1]
Destination port range = From: [ DNS ▼]
To: [ DNS ▼]
Log = [] (CHECKED)
Description = [✎ BLOCK_DNS_LEAKS_VPN]
[ADVANCED FEATURES] > GATEWAY = [ AirVPN_WAN ▼]–-------------------------------------------------------------------------------------------
Action = [ Pass ▼]
Disabled = [] Disable this rule (UNCHECKED)
Interface = [VPN ▼]
TCP/IP Version = [IPv4 ▼]
Protocol = [Any ▼]
Source = [] Not (UNCHECKED)
Type: [ VPN Subnet ▼]
Address: [] (BLANK)
Destination = [] Not (UNCHECKED)
Type: [ Any ▼]
Address: [] (BLANK)
Log = [] (UNCHECKED)
Description = [✎ Allow AirVPN_LAN Outbound]
[ADVANCED FEATURES] > GATEWAY = [ AirVPN_WAN ▼]I am a Gold Member, I am already reading the pfSense Book. Please take in consideration I am being using pfSense for 10 days….I have built my own appliance. I am an hobbyist with some skills (I came from several years of openWRT / DD-WRT routers) but totally new on pfSense.
Thank you very much for your time, I will continue to make my tests and read logs.
-
What are your rules on the AIRVPN_WAN interface?
What are your rules on the OpenVPN Tab?
-
What are your rules on the AIRVPN_WAN interface?
What are your rules on the OpenVPN Tab?
Since I cancelled the Port forwardings rules, for both:
"No rules are currently defined for this interface
All incoming connections on this interface will be blocked until you add pass rules."Now I setup the port forwarding and I report back in minutes
-
Port Forward
AIRVPN_WAN TCP * * AIRVPN_WAN address 9091 192.168.2.10 9091
Firewall (AIRVPN_WAN Tab):
IPv4 TCP * * 192.168.2.10 9091 AIRVPN_WAN none
Firewall (OpenVPN Tab):
No rules are currently defined for this interface
All incoming connections on this interface will be blocked until you add pass rules.For info the port forwarding:
WAN TCP * * WAN address 21000 192.168.1.6 11678With firewall rule on WAN tab:
IPv4 TCP * * 192.168.1.6 11678 * noneWorks.
The default gateway is WAN (*)
-
Firewall (AIRVPN_WAN Tab):
IPv4 TCP * * 192.168.2.10 9091 AIRVPN_WAN none
Try getting rid of that gateway and setting the rule to default. That's wrong. That says that traffic received by pfSense in interface AIRVPN_WAN (from AIRVPN) should use AIRVPN_WAN as the gateway.
-
Firewall (AIRVPN_WAN Tab):
IPv4 TCP * * 192.168.2.10 9091 AIRVPN_WAN none
Try getting rid of that gateway and setting the rule to default. That's wrong. That says that traffic received by pfSense in interface AIRVPN_WAN (from AIRVPN) should use AIRVPN_WAN as the gateway.
OK modification done
IPv4 TCP/UDP * * 192.168.2.10 9091 * none
Looking at Firewall log:
PASS - Oct 16 20:49:08 AIRVPN_WAN USER_RULE NAT Test Trasm (1413477300) 95.211.138.143:36454 192.168.2.10:9091 TCP:S
PASS - Oct 16 20:48:55 AIRVPN_WAN USER_RULE NAT Test Trasm (1413477300) 95.211.138.143:50755 192.168.2.10:9091 UDP
BLOCK - Oct 16 20:50:41 VPN Default deny rule IPv4 (1000000101) 192.168.2.10:9091 95.211.138.143:36454 TCP:SA
BLOCK - Oct 16 20:49:53 Direction=OUT WAN Default deny rule IPv4 (1000000102) 192.168.2.10:9091 95.211.138.143:36454 TCP:SA
So the Port forwarding rule is correctly applied but the acknowledgement is blocked.
TCP:SA is blocked because of the following:
Outbound NAT
PASS AIRVPN_WAN 192.168.2.0/24 * * * AIRVPN_WAN address *
Firewall Rule (VPN Tab)
BLOCK IPv4 TCP/UDP * * ! 10.4.0.1 53 (DNS) AIRVPN_WAN_GW none
PASS IPv4 TCP/UDP VPN net * * * AIRVPN_WAN_GW noneBasically I created my Home Lan in order to allow clients connected to VPN interface to go through AIRVPN Tunnel always, using AIRVPN DNS only.
I thought TCP:SA was routed via established tunnel as well, automatically.
-
The times on that log snippet don't make a lot of sense.
PASS - Oct 16 20:49:08 AIRVPN_WAN USER_RULE NAT Test Trasm (1413477300) 95.211.138.143:36454 192.168.2.10:9091 TCP:S
PASS - Oct 16 20:48:55 AIRVPN_WAN USER_RULE NAT Test Trasm (1413477300) 95.211.138.143:50755 192.168.2.10:9091 UDP
BLOCK - Oct 16 20:50:41 VPN Default deny rule IPv4 (1000000101) 192.168.2.10:9091 95.211.138.143:36454 TCP:SA
BLOCK - Oct 16 20:49:53 Direction=OUT WAN Default deny rule IPv4 (1000000102) 192.168.2.10:9091 95.211.138.143:36454 TCP:SA
There's like minutes between the S and SA in that log snippet.
If you look at Diagnostics->States and filter on 192.168.2.10 or maybe 9091, what states are there when the VPN client is trying to connect inbound on 9091?
-
Here the states:
AIRVPN_WAN udp 192.168.2.10:9091 (10.4.102.214:9091) <- 95.211.138.143:47494 NO_TRAFFIC:SINGLE
VPN udp 95.211.138.143:47494 -> 192.168.2.10:9091 SINGLE:NO_TRAFFIC
-
I'm confused now. Is this TCP or UDP traffic you're trying to forward. When you tried it that time were there any firewall log hits?
-
I'm confused now. Is this TCP or UDP traffic you're trying to forward. When you tried it that time were there any firewall log hits?
Sorry it was midnight in Italy …. and I made some confusion. My goal is to forward both TCP/UDP as suggested by AirVPN. I did that in the past with iptables.
Back to the problem
Settings:
PF
AIRVPN_WAN TCP/UDP * * AIRVPN_WAN address 9091 192.168.2.10 9091
Firewall (AIRVPN_WAN Tab):
IPv4 TCP/UDP * * 192.168.2.10 9091 AIRVPN_WAN none
Firewall LOG
PASS - Oct 16 20:49:08 AIRVPN_WAN USER_RULE NAT Test Trasm (1413477300) 95.211.138.143:36454 192.168.2.10:9091 TCP:S
PASS - Oct 16 20:48:55 AIRVPN_WAN USER_RULE NAT Test Trasm (1413477300) 95.211.138.143:50755 192.168.2.10:9091 UDP
BLOCK - Oct 16 20:50:41 VPN Default deny rule IPv4 (1000000101) 192.168.2.10:9091 95.211.138.143:36454 TCP:SA
BLOCK - Oct 16 20:49:53 Direction=OUT WAN Default deny rule IPv4 (1000000102) 192.168.2.10:9091 95.211.138.143:36454 TCP:SA
State
AIRVPN_WAN udp 192.168.2.10:9091 (10.4.102.214:9091) <- 95.211.138.143:47494 NO_TRAFFIC:SINGLE
VPN udp 95.211.138.143:47494 -> 192.168.2.10:9091 SINGLE:NO_TRAFFIC
-
Can be releted to that bug: https://redmine.pfsense.org/issues/3760 ?
I am using 2.2Beta (16OCT)
-
I had no idea This was 2.2. Sorry. Can't help with that. there's a 2.2 feedback and problems thread for 2.2 feedback. I don't know if it's a problem or if there's something misconfigured but I'm staying away from 2.2 no time.
-
I had no idea This was 2.2. Sorry. Can't help with that. there's a 2.2 feedback and problems thread for 2.2 feedback. I don't know if it's a problem or if there's something misconfigured but I'm staying away from 2.2 no time.
Thank you for your time.
-
If you refer to the document in https://forum.pfsense.org/index.php?topic=82944.msg454035#msg454035 I created a connection to VPNBOOK on pfSense A and successfully made Host B1 egress to the internet via OpenVPN to pfSense A then out the VPNBOOK connection. Everything "just worked" as expected.
Unfortunately, I can't build your specific config because I don't have a VPN provider that will give me a port forward. I have asked airvpn for a trial account.
-
Should be a simple problem:
Once I have the remote AirVPN Server NAT ready, I have a real AIRVPN_Public_IP, any hit to AIRVPN_Public_IP:port is NAT'd to the internal AIRVPN_IP:port that traffic should go straight inside the tunnel toward the end point of my pfSense AIRVPN_WAN IP (same as AIRVPN_IP:port).
Said that my only action in pfSense should be a simple NAT to MyClient_IP:port and let pfSense make the automatic Firewall rule.
-
You're right. It shound be that simple. If AIRVPN gives me an account and I can mock it up here, then maybe you can file a bug report if you do the same thing and it doesn't work in 2.2.
-
AIRVPN just sent a 3-day coupon to me. I don't want to start the clock until I know you still need help with this. Do you?
-
AIRVPN just sent a 3-day coupon to me. I don't want to start the clock until I know you still need help with this. Do you?
Hi Derelict,
yes I am still not able to make it work, I have started also packet capture and reading output in wireshark.
Again, I confirm you that port forwarding on clear net side (WAN) is working pretty well.
-
"My VPN provider (AIRVPN) offers port forwarding (also a DDNS service), basically offering their public ip and port to redirecting traffic to AIRVPN servers internal address and then go via tunnel to my clients."
so - 1 public IP at the VPN service provider and many potential clients to possibly NAT that 1 port to?
So what if in the highly unlikely (very likely) event that 10 customers all want port 25? or 80? or 443?
Then what?
-
Each customer of AirVPN has 20 port assigned on random basis, it is impossible that 2 customers share the same port.
Ref.: https://airvpn.org/faq/port_forwarding/
BTW that solution has been working for 1 year with my WNDR37000 (openWRT) and R7000 (DD-WRT).
Now, I think my setup in pfSense is conflicting with the bug still open in 2.2Beta, I am using 2 subnets, one dedicated to VPN only, with its dedicated Gateway.
