Port Forward over VPN interface?

Derelict · Aug 12, 2015, 4:58 AM

Dude.

Precisely what is the problem you're having? You've gotten so clicky clicky putting who knows what where it's impossible at this point to make a simple recommendation.

Start over.

Get the VPN up.

Get the traffic you want routed out the VPN going out the VPN.

Get the port forward working.

JimPhreak · Aug 12, 2015, 5:03 AM

@Derelict:

Dude.

Precisely what is the problem you're having? You've gotten so clicky clicky putting who knows what where it's impossible at this point to make a simple recommendation.

Start over.

Get the VPN up.

Get the traffic you want routed out the VPN going out the VPN.

Get the port forward working.

I haven't been clicky clicky at all. In fact I have just a few firewall rules in place at all other than the standard allow trusted LANs to any rules. I've got my VPN up and I've got all traffic from the AIRVPN_LAN network routing out the AIRVPN_WAN interface. So I'm pretty much back where I started at the beginning of this thread in trying to determine why when traffic enters the AIRVPN_WAN interface it can't seem to get back out.

Derelict · Aug 12, 2015, 5:11 AM

What do you mean "get back out?"

I say again, what specific problem are you having? be specific, use IP addresses, interfaces, and rules. Specific sources, destinations, and expected behavior.

JimPhreak · Aug 12, 2015, 5:41 AM

@Derelict:

What do you mean "get back out?"

I say again, what specific problem are you having? be specific, use IP addresses, interfaces, and rules. Specific sources, destinations, and expected behavior.

I have the following NAT rules configured:

I've configured port forwarding of port 32400 with my VPN provider. When I do a port forwarding test from a website I get the following passes in the firewall:

However the tests fail because I "believe" (though you clearly have me doubting I'm right now) that somehow the traffic isn't getting back out of my network after coming in the AIRVPN_WAN interface.

Derelict · Aug 12, 2015, 6:52 AM

From that it looks like the target NAT host isn't responding. Or is responding out another gateway.

https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

Look at - REALLY LOOK AT - every item - REALLY EVERY ITEM - in that troubleshooting list. Did I say REALLY LOOK AT? REALLY! LOOK AT EVERY ONE!

doktornotor · Aug 12, 2015, 6:54 AM

Why it is limited to TCP? Because it's default?

JimPhreak · Aug 12, 2015, 3:13 PM

@Derelict:

From that it looks like the target NAT host isn't responding. Or is responding out another gateway.

https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

Look at - REALLY LOOK AT - every item - REALLY EVERY ITEM - in that troubleshooting list. Did I say REALLY LOOK AT? REALLY! LOOK AT EVERY ONE!

If I put the host in my LAN and port forward over my regular WAN connection the host responds fine and the port forward works so it's not a configuration issue with the host. It has to be something I'm doing wrong on the firewall side so I'll review each item on that list this evening and see what I come up with.

@doktornotor:

Why it is limited to TCP? Because it's default?

Because that's the port I need forwarded, TCP 32400.

EDIT: Did a quick packet trace sourcing from the host (10.0.100.210) on the AIRVPN_LAN interface right after I attempt to connect the server to Plex. The below results seem to indicate to me that the host is responding.

10:15:39.636277 IP 10.0.100.210.32400 > 54.241.28.69.63725: tcp 0
10:15:40.636885 IP 54.241.28.69.63725 > 10.0.100.210.32400: tcp 0
10:15:40.637447 IP 10.0.100.210.32400 > 54.241.28.69.63725: tcp 0
10:15:41.745758 IP 10.0.100.210.32400 > 54.241.28.69.63725: tcp 0
10:15:42.642933 IP 54.241.28.69.63725 > 10.0.100.210.32400: tcp 0
10:15:42.643499 IP 10.0.100.210.32400 > 54.241.28.69.63725: tcp 0

Here is the packet capture on the AIRVPN_WAN interface looking for port 32400. Nothing is coming back out the AIRVPN WAN

11:04:55.974390 IP 54.176.213.193.54900 > 10.4.24.119.32400: tcp 0
11:04:59.029009 IP 54.176.213.193.54900 > 10.4.24.119.32400: tcp 0

And here is the packet capture on my regular WAN looking for port 32400.

11:06:11.939126 IP 10.4.24.119.32400 > 184.72.12.38.25297: tcp 0
11:06:12.940138 IP 10.4.24.119.32400 > 184.72.12.38.25297: tcp 0
11:06:13.940484 IP 10.4.24.119.32400 > 184.72.12.38.25297: tcp 0
11:06:14.944159 IP 10.4.24.119.32400 > 184.72.12.38.25297: tcp 0
11:06:17.340642 IP 10.4.24.119.32400 > 184.72.12.38.25297: tcp 0

For reference, 10.0.100.210 is the host I'm trying to forward port 32400 to and 10.4.24.119 is the virtual address of my OpenVPN client connection to my VPN service.

Derelict · Aug 12, 2015, 2:49 PM

@Derelict:

From that it looks like the target NAT host isn't responding. Or is responding out another gateway.

Rereading my post, you can't tell any of that from those firewall logs. All that shows is the port is actually being forwarded to you and your NAT translation / firewall rule is correct.

What you need is a packet capture on AIRVPN_LAN for port 32400.

JimPhreak · Aug 12, 2015, 2:50 PM

@Derelict:

@Derelict:

From that it looks like the target NAT host isn't responding. Or is responding out another gateway.

Rereading my post, you can't tell any of that from those firewall logs. All that shows is the port is actually being forwarded to you and your NAT translation / firewall rule is correct.

What you need is a packet capture on AIRVPN_LAN for port 32400.

Haha, funny timing. Check the edit on my above post.

JimPhreak · Aug 12, 2015, 9:11 PM

OK finally got a chance to review the packet captures I posted earlier today.

So what I'm seeing (during these tests) is that packets are coming in the AIRVPN_WAN interface but nothing is coming back out. It appears the packets are going out my regular WAN interface during these tests.

However if I do a test by starting a ping directly from the host (10.0.100.210) while doing a packet capture I see the data going out the AIRVPN_WAN interface properly and nothing going out the WAN.

I see what's happening, but unfortunately don't have a clue why it's happening. If packets originating from the AIVPN_LAN are going out the AIRVPN_WAN, why wouldn't packets being sent TO the AIRVPN_LAN be routed back out the AIRVPN_WAN?

Derelict · Aug 13, 2015, 4:07 AM

You're going to have to post your interface configs, NAT rules, Port Forwards, Firewall rules. Something isn't making any sense.

You've got some policy routing issues or some NAT issues or both. This makes no sense:

And here is the packet capture on my regular WAN looking for port 32400.

11:06:11.939126 IP 10.4.24.119.32400 > 184.72.12.38.25297: tcp 0
11:06:12.940138 IP 10.4.24.119.32400 > 184.72.12.38.25297: tcp 0
11:06:13.940484 IP 10.4.24.119.32400 > 184.72.12.38.25297: tcp 0
11:06:14.944159 IP 10.4.24.119.32400 > 184.72.12.38.25297: tcp 0
11:06:17.340642 IP 10.4.24.119.32400 > 184.72.12.38.25297: tcp 0

10.4.24.119 is the virtual address of my OpenVPN client connection to my VPN service.

pfSense would not be forwarding traffic sourced from your VPN address out WAN unless it was told to do so somehow. And none of the other captures show 184.72.12.38 so where is that coming from?

JimPhreak · Aug 13, 2015, 4:15 AM

@Derelict:

You're going to have to post your interface configs, NAT rules, Port Forwards, Firewall rules. Something isn't making any sense.

You've got some policy routing issues or some NAT issues or both. This makes no sense:

pfSense would not be forwarding traffic sourced from your VPN address out WAN unless it was told to do so somehow. And none of the other captures show 184.72.12.38 so where is that coming from?

Both 54.241.28.69 and 184.72.12.38 is Plex.tv which is where I'm trying to publish my server to.

I will take some SS's of all my configs and hopefully you can spot my error.

Derelict · Aug 13, 2015, 4:56 AM

Right, but there is absolutely no reason for traffic to be directed out WAN with a source address of your OpenVPN client interface.

JimPhreak · Aug 13, 2015, 1:49 PM

@Derelict:

Right, but there is absolutely no reason for traffic to be directed out WAN with a source address of your OpenVPN client interface.

PM'd.

JimPhreak · Aug 17, 2015, 3:37 PM

Just wanted to post and update that my issue has been resolved. With the help of Derelict (huge thanks to you), we were able to determine that my issue was an Any/Any rule on the OpenVPN tab (which has since been removed and replaced with a more strict rule on an interface I created for my home VPN server network) as well as the fact that I had the AIRVPN_WAN gateway selected on my NAT port forward rule instead of leaving it as default.

Now everything is working just like I'd expect. Big thanks again to Derelict who spotted the problem and was patient in working with me.

Bluedragon · Sep 4, 2015, 4:25 AM

Thanks for coming back here to post what was wrong, I was getting much the same issue and seeing the same results in the capture… It was the any/any in the OpenVPN tab.

pfsenseuser1 · Jan 20, 2022, 7:40 PM

@jimphreak

Just wanted to say thank you so much for posting this, even 6 years later I ran into this issue and was banging my head against why I couldnt get something like portchecker.co to report a forwarded port open.

I guess I need to go back and read more on why the any/any on the openvpn interface broke things

FoolCoconut · Nov 21, 2023, 11:43 AM

I seem to be having the literal same issue.

VPN works from the desired VM. Outbound packets work properly, but it seems inbound packets are not being properly routed back through AIRVPN_WAN.

Can anyone provide a more detailed solution?

I don't have no any/any rules, only a single rule (created automatically by nat) in the AIRVPN_WAN that allows any tcp/udp to the VM with the port I want exposed.