Incomming connection issue when using openvpn
-
im having a strange issue that I can't seam to solve, so I hope that someone here can help
I have setup openvpn connection and it is working for out going connections, but incomming connection are going out over the wrong interface, they are going out over the default gateway not the openvpn interface.
I have created nat for the port I expect the data on, and I see the data getting to the computer, but the reponse is not getting routed correct,
I have setup outbound nat for the openvpn interfaceoutbound nat rules
nat on $VPN from 10.0.80.0/24 to any port 500 -> 10.103.1.6/32 static-port
nat on $VPN from 10.0.80.0/24 to any -> 10.103.1.6/32 port 1024:65535
nat on $VPN from 127.0.0.0/8 to any -> 10.103.1.6/32 port 1024:65535nat inbound
rdr on ovpnc3 proto { tcp udp } from any to 10.103.1.6 port 49534 -> 10.0.80.24Reflection redirects
rdr on { lagg0_vlan1 lagg0_vlan102 l2tp enc0 openvpn } proto { tcp udp } from any to 10.103.1.6 port 49534 tag PFREFLECT -> 127.0.0.1 port 19000
pass in quick on $VPN reply-to ( ovpnc3 10.103.1.5 ) inet proto { tcp udp } from any to 10.0.80.24 port 49534 tracker 1416425303 keep state label "USER_RULE: NAT Torrent"
if I read the line above correct it says that it should reply back to the ovpnc3 interface, but it does not the replay goes over default gw
-
Are there pass rules on the OpenVPN tab that also match the traffic? If so, I believe that will match first and break reply to. I usually delete all the rules on the OpenVPN tab when I use assigned interfaces.
-
there is only that one rule there
rules from the openvpn there is only this
| type | proto | Source | Port | Destination | Port | Gateway | Queue |
| allow | IPv4 TCP/UDP | * | * | 10.0.80.24 | 49534 | * | none |rules from the lan interface that make is select the openvpn interface thise are the first rules there
| type | proto | Source | Port | Destination | Port | Gateway | Queue |
| allow | IPv4 * | 10.0.80.24 | * | ! owennet | * | VPN_VPNV4 | none |
| allow | IPv4 * | 10.0.80.24 | * | owennet | * | * | none |
| deny | IPv4 * | 10.0.80.24 | * | * | * | * | none | -
I'd ditch that rule and put it on the assigned interface's firewall rule tab instead.
-
I have tried that, but pfsense still select the wrong interface for reply-to
-
This stuff works, man. pfSense is only doing what you're telling it to do.
Use the diagram in my sig to detail exactly what you're doing and I'll build it tonight. Please be specific.
-
ok using you diagram
pfsense A
connected with 2 wan, 2 openvpns
connectes in/out works ok on wan
connection works fine from lan and opt1
connections going out from opt1 host A2 is redirected to ovpnc2 works fine
connections comming in from internet ocer ovpnc2 to host A2 does not work
port 53 is configured be redirected to host but packages are comming threre but reply is sent over wan
I just created that config on my firewall as the only config there and it did not work
-
You can't NAT on the openvpn tab. It has to be an assigned interface. I don't see ovpnc2 in that firewall output at all.
-
I have tried that today, assigned it to an interface, got teh interface up with the ip, still not possible to get traffic in only out, in comming traffic are still routed back over default route not the rule's reply-to
-
post screenshots of all your rules.
-
ok screen shots of all my interfaces and rules comming up
WAN interface default gateway
WAN2 interface, in use if first fails
openvpn client1
nothing forwarded here works, the reply is send back over default gw
openvpn client2
same as above
DMZ
NAT
interface assignment
This is the setup I like to have working and that was working with pfsense 2 but does not work with 2.2
-
Please post the rules on the OpenVPN tab.
-
openvpn tab
-
Get rid of that. In order to have things like Reply-To working, the OpenVPN tab cannot match the traffic. I would just not put any rules on OpenVPN tab. Put them on the appropriate assigned interface instead.
-
Note my first post on this thread.
-
So, what's this?
nat on $VPN from 10.0.80.0/24 to any port 500 -> 10.103.1.6/32 static-port
Your IPsec overlaps with OpenVPN. This will never work.
-
Note my first post on this thread.
Thank you, I dont know how I missed that all the when ever I checked, that rule should of cause have a limited source address range, adding that it works perfect
, thank you again
