Routing traffic thro OpenVPN tunnel
-
What you're missing here is an outbound NAT rule (SNAT, the last one of the iptables rules).
You have to set this in Firewall > NAT > Outbound.
The rule generation mode has to be set to automatic or hybrid and saved. Then add a new rule with interface=OpenVPN, destination=192.168.3.0/24, translation=interface address. -
thanks
do i still have to specify any Port Forward Rules ?
I want to forward www.foo.com:8088 to 192.168.3.100:8088
-
Yes, the port forwarding is DNAT.
You need a rule for any port or any port range you want to forward to the other site.However, you don't need additional outbound NAT rules for other port forwardings.
-
sorry, i'm really new to this. so please let me know if this is ok
I've attached screen shots. With this, accessing www.foo.com:8088 doesnt work
1. Setup Outbound in OpenVPN
2. Setup a Port forward for 8088 to go to 192.168.3.50 IP
3. Setup Firewall Rule
-
In the port forwarding rule the destination is any. I've never set up a rule with this. Try Wan address instead.
-
tried but no luck, thanks anyway
-
You need an OpenVPN assigned interface at the 192.168.3 side.
Then you need to make sure the rules passing traffic into that firewall do not match on the OpenVPN tab but instead match on the assigned interface tab.
That will give you the reply-to functionality that will prevent reply traffic from being sent out the default gateway at that end, instead routing it back through the OpenVPN tunnel.
https://forum.pfsense.org/index.php?topic=82732.msg453269#msg453269
-
For a n00b like me, this is a bit complicated. sorry about that
i have a tomato shibby running on the 192.168.3.0 side.
Can you please help me and explain what do you mean by "You need an OpenVPN assigned interface at the 192.168.3 side"?
i will however go thro your link. i guess you are assuming that i have another pfsense on the other end too?
PS: I earlier had this entire setup working with 2 tomato shibby's on either end & connected these 2 over tinc. all i had to do was add some iptables into the tinc & it worked great. these are the ip tables i had
iptables -A wanin -d 192.168.3.50/32 -p tcp -m tcp –dport 8088 -j ACCEPT
iptables -t nat -A WANPREROUTING -p tcp -m tcp --dport 8088 -j DNAT --to-destination 192.168.3.50:8088
iptables -t nat -A POSTROUTING -d 192.168.3.50/32 -p tcp -m tcp --dport 8088 -o tinc -j SNAT --to 192.168.11.1PS2: The 192.168.3.0 network is behind a double NAT. The ISP provides only a natted IP & not a public one. So i set up a OpenVPN Site to Site Tunnel with the server running on pfsense with Public IP at home & OpenVPN client connecting to it.
-
Pointed you to a recipe in that other post for exactly what you want to do. Not really interested in what worked in iptables since that is pretty much irrelevant in pfSense.
If tomato worked for you why not just run that?
-
i could go back to tomato but wanted to have a more secure setup on one end.
thank you for your help anyway. was looking for a more stepbystep idea.
i mentioned iptables just as a reference..
