• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Port Forward over VPN interface?

NAT
7
32
9.4k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D
    Derelict LAYER 8 Netgate
    last edited by Aug 12, 2015, 4:58 AM

    Dude.

    Precisely what is the problem you're having?  You've gotten so clicky clicky putting who knows what where it's impossible at this point to make a simple recommendation.

    Start over.

    Get the VPN up.

    Get the traffic you want routed out the VPN going out the VPN.

    Get the port forward working.

    Chattanooga, Tennessee, USA
    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
    Do Not Chat For Help! NO_WAN_EGRESS(TM)

    1 Reply Last reply Reply Quote 0
    • J
      JimPhreak
      last edited by Aug 12, 2015, 5:03 AM

      @Derelict:

      Dude.

      Precisely what is the problem you're having?  You've gotten so clicky clicky putting who knows what where it's impossible at this point to make a simple recommendation.

      Start over.

      Get the VPN up.

      Get the traffic you want routed out the VPN going out the VPN.

      Get the port forward working.

      I haven't been clicky clicky at all.  In fact I have just a few firewall rules in place at all other than the standard allow trusted LANs to any rules.  I've got my VPN up and I've got all traffic from the AIRVPN_LAN network routing out the AIRVPN_WAN interface.  So I'm pretty much back where I started at the beginning of this thread in trying to determine why when traffic enters the AIRVPN_WAN interface it can't seem to get back out.

      1 Reply Last reply Reply Quote 0
      • D
        Derelict LAYER 8 Netgate
        last edited by Aug 12, 2015, 5:11 AM

        What do you mean "get back out?"

        I say again, what specific problem are you having?  be specific, use IP addresses, interfaces, and rules.  Specific sources, destinations, and expected behavior.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • J
          JimPhreak
          last edited by Aug 12, 2015, 5:41 AM

          @Derelict:

          What do you mean "get back out?"

          I say again, what specific problem are you having?  be specific, use IP addresses, interfaces, and rules.  Specific sources, destinations, and expected behavior.

          I have the following NAT rules configured:

          I've configured port forwarding of port 32400 with my VPN provider.  When I do a port forwarding test from a website I get the following passes in the firewall:

          However the tests fail because I "believe" (though you clearly have me doubting I'm right now) that somehow the traffic isn't getting back out of my network after coming in the AIRVPN_WAN interface.

          1 Reply Last reply Reply Quote 0
          • D
            Derelict LAYER 8 Netgate
            last edited by Aug 12, 2015, 6:52 AM

            From that it looks like the target NAT host isn't responding.  Or is responding out another gateway.

            https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

            Look at - REALLY LOOK AT - every item - REALLY EVERY ITEM - in that troubleshooting list.  Did I say REALLY LOOK AT?  REALLY!  LOOK AT EVERY ONE!

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • D
              doktornotor Banned
              last edited by Aug 12, 2015, 6:54 AM

              Why it is limited to TCP? Because it's default?

              1 Reply Last reply Reply Quote 0
              • J
                JimPhreak
                last edited by Aug 12, 2015, 3:13 PM Aug 12, 2015, 1:27 PM

                @Derelict:

                From that it looks like the target NAT host isn't responding.  Or is responding out another gateway.

                https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

                Look at - REALLY LOOK AT - every item - REALLY EVERY ITEM - in that troubleshooting list.  Did I say REALLY LOOK AT?  REALLY!  LOOK AT EVERY ONE!

                If I put the host in my LAN and port forward over my regular WAN connection the host responds fine and the port forward works so it's not a configuration issue with the host.  It has to be something I'm doing wrong on the firewall side so I'll review each item on that list this evening and see what I come up with.

                @doktornotor:

                Why it is limited to TCP? Because it's default?

                Because that's the port I need forwarded, TCP 32400.

                EDIT: Did a quick packet trace sourcing from the host (10.0.100.210) on the AIRVPN_LAN interface right after I attempt to connect the server to Plex.  The below results seem to indicate to me that the host is responding.

                10:15:39.636277 IP 10.0.100.210.32400 > 54.241.28.69.63725: tcp 0
                10:15:40.636885 IP 54.241.28.69.63725 > 10.0.100.210.32400: tcp 0
                10:15:40.637447 IP 10.0.100.210.32400 > 54.241.28.69.63725: tcp 0
                10:15:41.745758 IP 10.0.100.210.32400 > 54.241.28.69.63725: tcp 0
                10:15:42.642933 IP 54.241.28.69.63725 > 10.0.100.210.32400: tcp 0
                10:15:42.643499 IP 10.0.100.210.32400 > 54.241.28.69.63725: tcp 0

                Here is the packet capture on the AIRVPN_WAN interface looking for port 32400.  Nothing is coming back out the AIRVPN WAN

                11:04:55.974390 IP 54.176.213.193.54900 > 10.4.24.119.32400: tcp 0
                11:04:59.029009 IP 54.176.213.193.54900 > 10.4.24.119.32400: tcp 0

                And here is the packet capture on my regular WAN looking for port 32400.

                11:06:11.939126 IP 10.4.24.119.32400 > 184.72.12.38.25297: tcp 0
                11:06:12.940138 IP 10.4.24.119.32400 > 184.72.12.38.25297: tcp 0
                11:06:13.940484 IP 10.4.24.119.32400 > 184.72.12.38.25297: tcp 0
                11:06:14.944159 IP 10.4.24.119.32400 > 184.72.12.38.25297: tcp 0
                11:06:17.340642 IP 10.4.24.119.32400 > 184.72.12.38.25297: tcp 0

                For reference, 10.0.100.210 is the host I'm trying to forward port 32400 to and 10.4.24.119 is the virtual address of my OpenVPN client connection to my VPN service.

                1 Reply Last reply Reply Quote 0
                • D
                  Derelict LAYER 8 Netgate
                  last edited by Aug 12, 2015, 2:49 PM

                  @Derelict:

                  From that it looks like the target NAT host isn't responding.  Or is responding out another gateway.

                  Rereading my post, you can't tell any of that from those firewall logs.  All that shows is the port is actually being forwarded to you and your NAT translation / firewall rule is correct.

                  What you need is a packet capture on AIRVPN_LAN for port 32400.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • J
                    JimPhreak
                    last edited by Aug 12, 2015, 2:50 PM

                    @Derelict:

                    @Derelict:

                    From that it looks like the target NAT host isn't responding.  Or is responding out another gateway.

                    Rereading my post, you can't tell any of that from those firewall logs.  All that shows is the port is actually being forwarded to you and your NAT translation / firewall rule is correct.

                    What you need is a packet capture on AIRVPN_LAN for port 32400.

                    Haha, funny timing.  Check the edit on my above post.

                    1 Reply Last reply Reply Quote 0
                    • J
                      JimPhreak
                      last edited by Aug 12, 2015, 9:11 PM

                      OK finally got a chance to review the packet captures I posted earlier today.

                      So what I'm seeing (during these tests) is that packets are coming in the AIRVPN_WAN interface but nothing is coming back out.  It appears the packets are going out my regular WAN interface during these tests.

                      However if I do a test by starting a ping directly from the host (10.0.100.210) while doing a packet capture I see the data going out the AIRVPN_WAN interface properly and nothing going out the WAN.

                      I see what's happening, but unfortunately don't have a clue why it's happening.  If packets originating from the AIVPN_LAN are going out the AIRVPN_WAN, why wouldn't packets being sent TO the AIRVPN_LAN be routed back out the AIRVPN_WAN?

                      1 Reply Last reply Reply Quote 0
                      • D
                        Derelict LAYER 8 Netgate
                        last edited by Aug 13, 2015, 4:07 AM

                        You're going to have to post your interface configs, NAT rules, Port Forwards, Firewall rules.  Something isn't making any sense.

                        You've got some policy routing issues or some NAT issues or both.  This makes no sense:

                        And here is the packet capture on my regular WAN looking for port 32400.

                        11:06:11.939126 IP 10.4.24.119.32400 > 184.72.12.38.25297: tcp 0
                        11:06:12.940138 IP 10.4.24.119.32400 > 184.72.12.38.25297: tcp 0
                        11:06:13.940484 IP 10.4.24.119.32400 > 184.72.12.38.25297: tcp 0
                        11:06:14.944159 IP 10.4.24.119.32400 > 184.72.12.38.25297: tcp 0
                        11:06:17.340642 IP 10.4.24.119.32400 > 184.72.12.38.25297: tcp 0

                        10.4.24.119 is the virtual address of my OpenVPN client connection to my VPN service.

                        pfSense would not be forwarding traffic sourced from your VPN address out WAN unless it was told to do so somehow.  And none of the other captures show 184.72.12.38 so where is that coming from?

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • J
                          JimPhreak
                          last edited by Aug 13, 2015, 4:15 AM

                          @Derelict:

                          You're going to have to post your interface configs, NAT rules, Port Forwards, Firewall rules.  Something isn't making any sense.

                          You've got some policy routing issues or some NAT issues or both.  This makes no sense:

                          pfSense would not be forwarding traffic sourced from your VPN address out WAN unless it was told to do so somehow.  And none of the other captures show 184.72.12.38 so where is that coming from?

                          Both 54.241.28.69 and 184.72.12.38 is Plex.tv which is where I'm trying to publish my server to.

                          I will take some SS's of all my configs and hopefully you can spot my error.

                          1 Reply Last reply Reply Quote 0
                          • D
                            Derelict LAYER 8 Netgate
                            last edited by Aug 13, 2015, 4:56 AM

                            Right, but there is absolutely no reason for traffic to be directed out WAN with a source address of your OpenVPN client interface.

                            Chattanooga, Tennessee, USA
                            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                            1 Reply Last reply Reply Quote 0
                            • J
                              JimPhreak
                              last edited by Aug 13, 2015, 1:49 PM

                              @Derelict:

                              Right, but there is absolutely no reason for traffic to be directed out WAN with a source address of your OpenVPN client interface.

                              PM'd.

                              1 Reply Last reply Reply Quote 0
                              • J
                                JimPhreak
                                last edited by Aug 17, 2015, 3:37 PM

                                Just wanted to post and update that my issue has been resolved.  With the help of Derelict (huge thanks to you), we were able to determine that my issue was an Any/Any rule on the OpenVPN tab (which has since been removed and replaced with a more strict rule on an interface I created for my home VPN server network) as well as the fact that I had the AIRVPN_WAN gateway selected on my NAT port forward rule instead of leaving it as default.

                                Now everything is working just like I'd expect.  Big thanks again to Derelict who spotted the problem and was patient in working with me.

                                P 1 Reply Last reply Jan 20, 2022, 7:37 PM Reply Quote 2
                                • B
                                  Bluedragon
                                  last edited by Sep 4, 2015, 4:25 AM

                                  Thanks for coming back here to post what was wrong, I was getting much the same issue and seeing the same results in the capture… It was the any/any in the OpenVPN tab.

                                  1 Reply Last reply Reply Quote 2
                                  • P
                                    pfsenseuser1 @JimPhreak
                                    last edited by pfsenseuser1 Jan 20, 2022, 7:40 PM Jan 20, 2022, 7:37 PM

                                    @jimphreak

                                    Just wanted to say thank you so much for posting this, even 6 years later I ran into this issue and was banging my head against why I couldnt get something like portchecker.co to report a forwarded port open.

                                    I guess I need to go back and read more on why the any/any on the openvpn interface broke things

                                    F 1 Reply Last reply Nov 21, 2023, 11:43 AM Reply Quote 0
                                    • F
                                      FoolCoconut @pfsenseuser1
                                      last edited by Nov 21, 2023, 11:43 AM

                                      I seem to be having the literal same issue.

                                      VPN works from the desired VM. Outbound packets work properly, but it seems inbound packets are not being properly routed back through AIRVPN_WAN.

                                      Can anyone provide a more detailed solution?

                                      I don't have no any/any rules, only a single rule (created automatically by nat) in the AIRVPN_WAN that allows any tcp/udp to the VM with the port I want exposed.

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post
                                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.