Port forwarding help needed from Wolf666
-
Here the states:
AIRVPN_WAN udp 192.168.2.10:9091 (10.4.102.214:9091) <- 95.211.138.143:47494 NO_TRAFFIC:SINGLE
VPN udp 95.211.138.143:47494 -> 192.168.2.10:9091 SINGLE:NO_TRAFFIC
-
I'm confused now. Is this TCP or UDP traffic you're trying to forward. When you tried it that time were there any firewall log hits?
-
I'm confused now. Is this TCP or UDP traffic you're trying to forward. When you tried it that time were there any firewall log hits?
Sorry it was midnight in Italy …. and I made some confusion. My goal is to forward both TCP/UDP as suggested by AirVPN. I did that in the past with iptables.
Back to the problem
Settings:
PF
AIRVPN_WAN TCP/UDP * * AIRVPN_WAN address 9091 192.168.2.10 9091
Firewall (AIRVPN_WAN Tab):
IPv4 TCP/UDP * * 192.168.2.10 9091 AIRVPN_WAN none
Firewall LOG
PASS - Oct 16 20:49:08 AIRVPN_WAN USER_RULE NAT Test Trasm (1413477300) 95.211.138.143:36454 192.168.2.10:9091 TCP:S
PASS - Oct 16 20:48:55 AIRVPN_WAN USER_RULE NAT Test Trasm (1413477300) 95.211.138.143:50755 192.168.2.10:9091 UDP
BLOCK - Oct 16 20:50:41 VPN Default deny rule IPv4 (1000000101) 192.168.2.10:9091 95.211.138.143:36454 TCP:SA
BLOCK - Oct 16 20:49:53 Direction=OUT WAN Default deny rule IPv4 (1000000102) 192.168.2.10:9091 95.211.138.143:36454 TCP:SA
State
AIRVPN_WAN udp 192.168.2.10:9091 (10.4.102.214:9091) <- 95.211.138.143:47494 NO_TRAFFIC:SINGLE
VPN udp 95.211.138.143:47494 -> 192.168.2.10:9091 SINGLE:NO_TRAFFIC
-
Can be releted to that bug: https://redmine.pfsense.org/issues/3760 ?
I am using 2.2Beta (16OCT)
-
I had no idea This was 2.2. Sorry. Can't help with that. there's a 2.2 feedback and problems thread for 2.2 feedback. I don't know if it's a problem or if there's something misconfigured but I'm staying away from 2.2 no time.
-
I had no idea This was 2.2. Sorry. Can't help with that. there's a 2.2 feedback and problems thread for 2.2 feedback. I don't know if it's a problem or if there's something misconfigured but I'm staying away from 2.2 no time.
Thank you for your time.
-
If you refer to the document in https://forum.pfsense.org/index.php?topic=82944.msg454035#msg454035 I created a connection to VPNBOOK on pfSense A and successfully made Host B1 egress to the internet via OpenVPN to pfSense A then out the VPNBOOK connection. Everything "just worked" as expected.
Unfortunately, I can't build your specific config because I don't have a VPN provider that will give me a port forward. I have asked airvpn for a trial account.
-
Should be a simple problem:
Once I have the remote AirVPN Server NAT ready, I have a real AIRVPN_Public_IP, any hit to AIRVPN_Public_IP:port is NAT'd to the internal AIRVPN_IP:port that traffic should go straight inside the tunnel toward the end point of my pfSense AIRVPN_WAN IP (same as AIRVPN_IP:port).
Said that my only action in pfSense should be a simple NAT to MyClient_IP:port and let pfSense make the automatic Firewall rule.
-
You're right. It shound be that simple. If AIRVPN gives me an account and I can mock it up here, then maybe you can file a bug report if you do the same thing and it doesn't work in 2.2.
-
AIRVPN just sent a 3-day coupon to me. I don't want to start the clock until I know you still need help with this. Do you?
-
AIRVPN just sent a 3-day coupon to me. I don't want to start the clock until I know you still need help with this. Do you?
Hi Derelict,
yes I am still not able to make it work, I have started also packet capture and reading output in wireshark.
Again, I confirm you that port forwarding on clear net side (WAN) is working pretty well.
-
"My VPN provider (AIRVPN) offers port forwarding (also a DDNS service), basically offering their public ip and port to redirecting traffic to AIRVPN servers internal address and then go via tunnel to my clients."
so - 1 public IP at the VPN service provider and many potential clients to possibly NAT that 1 port to?
So what if in the highly unlikely (very likely) event that 10 customers all want port 25? or 80? or 443?
Then what?
-
Each customer of AirVPN has 20 port assigned on random basis, it is impossible that 2 customers share the same port.
Ref.: https://airvpn.org/faq/port_forwarding/
BTW that solution has been working for 1 year with my WNDR37000 (openWRT) and R7000 (DD-WRT).
Now, I think my setup in pfSense is conflicting with the bug still open in 2.2Beta, I am using 2 subnets, one dedicated to VPN only, with its dedicated Gateway.
-
That would do it. I was just wondering if there would be some sort of first come first served policy for the ports.
-
Are you using manual outbound NAT?
-
Are you using manual outbound NAT?
Yes.
2 rule:
1 to route LAN to WAN
2 to route VPN (OPT1) to AIRVPN_WANI have also firewall rules consistent with my setup. Everything is working pretty fine, also port forwarding from WAN (clear internet) is working.
-
Lets say just for instance that you have a specific machine on the LAN and you want ALL of its outbound traffic to go out over the VPN.
You could make that happen with manual outbound NAT.
So, as a for instance, if traffic that was forwarded from your VPN into pfsense and onto a server on you LAN and you want outbound traffic to exit on the same interface it came in on, if manual outbound NAT for that machine IP was set to your AIRVPN_WAN instead of your WAN, all the traffic should go out over the VPN. That rule should be at the top.
I've done this with pfsense before but not with 2.2 so seems like it should work, but not sure 100%
If you wish to try, backup your settings first so its easy to go back if you don't like the results.
-
Lets say just for instance that you have a specific machine on the LAN and you want ALL of its outbound traffic to go out over the VPN.
You could make that happen with manual outbound NAT.
So, as a for instance, if traffic that was forwarded from your VPN into pfsense and onto a server on you LAN and you want outbound traffic to exit on the same interface it came in on, if manual outbound NAT for that machine IP was set to your AIRVPN_WAN instead of your WAN, all the traffic should go out over the VPN. That rule should be at the top.
I've done this with pfsense before but not with 2.2 so seems like it should work, but not sure 100%
If you wish to try, backup your settings first so its easy to go back if you don't like the results.
I use manual outbound NAT and it is working, I know there is a bug in 2.2Beta related to routing with several Gateways.
-
Thats quite a bug…
-
Thats quite a bug…
ref:
https://forum.pfsense.org/index.php?topic=80607.0
https://redmine.pfsense.org/issues/3760
