Problem port forwarding OpenVPN

bimmerdriver

Anyone? I'm really stumped by this.

Derelict

I don't get why you are messing about with the local port on the client. Do you have a source port set on your NAT rule on the server side or something?

That is almost never correct. Source port should be left blank.

bimmerdriver

I'm trying to set up a port forwarding rule so the client will reach the server. It's getting blocked, presumably because the port number keeps changing.

Derelict

That's why the source port on your port forward needs to be any.

Specify the source port or port range for this rule. This is usually random and almost never equal to the destination port range (and should usually be 'any'). The 'to' field may be left empty if only filtering a single port.

https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense

https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

bimmerdriver

@Derelict:

That's why the source port on your port forward needs to be any.

Specify the source port or port range for this rule. This is usually random and almost never equal to the destination port range (and should usually be 'any'). The 'to' field may be left empty if only filtering a single port.

https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense

https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

Okay, I have not set the source port. The rule is configured similarly to other port forwarding rules which are working. The destination is WAN with the destination port range being "openvpn" The redirect target ip and port is the ip address of the particular host and "openvpn. As I said, I have other port forwarding rules configured and they are working. In the case of this rule, it's being blocked by the firewall.

bimmerdriver

I noticed another thread called Source port rewriting, https://forum.pfsense.org/index.php?topic=118458.0. This sounds like the cause of the problem.

Derelict

The source port of an OpenVPN client connection does not matter! (Unless the rule on the server says it matters, which is not the default and not the way it should be configured.)

Post the firewall rule, the port forward, and the logs showing it being blocked.

bimmerdriver

Here are some screen captures.

The incoming port number changes every time the client restarts after failing to connect.

![firewall log.PNG](/public/imported_attachments/1/firewall log.PNG)
![firewall log.PNG_thumb](/public/imported_attachments/1/firewall log.PNG_thumb)
![firewall rule.PNG](/public/imported_attachments/1/firewall rule.PNG)
![firewall rule.PNG_thumb](/public/imported_attachments/1/firewall rule.PNG_thumb)
![firewall rule 2.PNG](/public/imported_attachments/1/firewall rule 2.PNG)
![firewall rule 2.PNG_thumb](/public/imported_attachments/1/firewall rule 2.PNG_thumb)
![NAT rule.PNG](/public/imported_attachments/1/NAT rule.PNG)
![NAT rule.PNG_thumb](/public/imported_attachments/1/NAT rule.PNG_thumb)
![redirect rule.PNG](/public/imported_attachments/1/redirect rule.PNG)
![redirect rule.PNG_thumb](/public/imported_attachments/1/redirect rule.PNG_thumb)

Derelict

Dude, your firewall rule is disabled. That's why it's grayed out / translucent. Uncheck the Disable this rule checkbox.

bimmerdriver

@Derelict:

Dude, your firewall rule is disabled. That's why it's grayed out / translucent. Uncheck the Disable this rule checkbox.

ARRRGGGGHHH! That was the problem. I thought it was grayed out because it was automatically created.

Thanks!