Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Port forwarding to clients of pfSense Remote Access Server

    OpenVPN
    2
    4
    1.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sasha
      last edited by

      Hello,

      I have pfSense as OpenVPN Remote Access Server with interfaces WAN, LAN (172.20.0.1), OPT1 (openvpn). OpenVPN tunnel network is 10.0.0.0/24.

      OpenVPN clients connect fine and they can see each other (and connect to each others ports), testing ports from pfSense to OpenVPN clients works. All client traffic is routed through pfSense. But I cannot forwards ports from WAN to OpenVPN clients.

      For example for OpenVPN Client with IP 10.0.0.2, what I tried is (not all at once but as separate cases):

      • added port forwarding, WAN:2020 to 10.0.0.2:22 with rule option PASS
      • added port forwarding, WAN:2020 to 10.0.0.2:22 with rule option Add associated firewall rule
      • added port forwarding, WAN:2020 to 10.0.0.2:22 without rule and added pass rule for WAN:2020 in firewall

      Other OpenVPN clients and pfSense can connect to 10.0.0.2:22, telnet to WAN:2020 did not get through in any of aforementioned cases.

      So, what's the trick? :)

      BR,
      Sasha

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        Check if pfSense has added an outbound NAT rule for the OVPN subnet to WAN interface, if you use automatic outbound rule generation. If you use manual you have to add the rule manually, off course.

        Also ensure that the clients software firewall doesn't block the access from unknown subnets.

        1 Reply Last reply Reply Quote 0
        • S
          sasha
          last edited by

          Yes, pfSense added NAT rule for OVPN subnet to WAN interface.

          Clients firewall allows traffic from OVPN tunnel network and pfSense LAN. For example port test from pfSense to clients SSH port is working.

          Here are NAT rules that are now in place and firewall rules.

          1 Reply Last reply Reply Quote 0
          • V
            viragomann
            last edited by

            Okay, I see one additional possible reason for this behaviour: the client uses another upstream gateway. So requests come through the vpn to the client, but responses are sent to its default gateway and will be blocked there.
            You can resolve this either by checking "Redirect gateway" in the server settings to direct the whole client traffic over the vpn (you can also do this just for this one client with client specific overrides) or you do outbound NAT for the traffic forwarded to this client and translate the source address to the interface IP. The latter has the disadvantage that the client doesn't see the original IP address.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.