No UDP port forwarding with OpenVPN client using AirVPN
-
22:10:46.743043 IP 192.168.20.125.29999 > 184.73.221.81.2081: UDP, length 112
22:10:51.739689 IP 192.168.20.125.29999 > 184.73.221.81.2081: UDP, length 112
22:11:01.755341 IP 192.168.20.125.29999 > 184.73.221.81.2081: UDP, length 112
22:11:16.773509 IP 192.168.20.125.29999 > 184.73.221.81.2081: UDP, length 113That is outbound UDP. Inbound would be sourced from 182.73.221.81 dest 192.168.20.125. No UDP is actually arriving from the VPN provider.
Looking again it does not look like you are routing the UDP out the OpenVPN.
-
22:10:46.743043 IP 192.168.20.125.29999 > 184.73.221.81.2081: UDP, length 112
22:10:51.739689 IP 192.168.20.125.29999 > 184.73.221.81.2081: UDP, length 112
22:11:01.755341 IP 192.168.20.125.29999 > 184.73.221.81.2081: UDP, length 112
22:11:16.773509 IP 192.168.20.125.29999 > 184.73.221.81.2081: UDP, length 113That is outbound UDP. Inbound would be sourced from 182.73.221.81 dest 192.168.20.125. No UDP is actually arriving from the VPN provider.
That's what I understand too, UDP doesn't get routed, but I don't understand why. Is there a rule missing or wrong ? A problem with the VLAN ?
I'm not sure what to do at this point, I've reached the end of my networking knowledge. I know UDP is stateless but I don't understand why it's not being routed to the VPN like TCP traffic is.
Is there a way to check if a rule prevents it ?
-
The traffic will show in a packet capture even if it is blocked by a rule.
If you are capturing on the OpenVPN interface and the traffic is not arriving from the VPN provider, you need to check the configuration there.
pfSense cannot do anything with traffic that isn't sent to it.
-
The traffic will show in a packet capture even if it is blocked by a rule.
If you are capturing on the OpenVPN interface and the traffic is not arriving from the VPN provider, you need to check the configuration there.
pfSense cannot do anything with traffic that isn't sent to it.
That make perfect sense, I understand that. The UDP doesn't processed by the NAT ?
I don't understand what's wrong, if nothing was working I'd feel better but only UDP doesn't work and the configured rules don't discriminated against it. I'm not sure what to investigate, where to search.
To help me understand and remember the whole setup, I've deleted all settings related to the VPN and reconfigured it. Same result (no UDP, working TCP), but it did remind me on one thing I didn't mention before that is very relevant to this discussion: Firewall/NAT/Outbound. I've entered 2 mappings for interface WAN_AIRVPN_ALKAID (attached): One for 127.0.01 (is it necessary? not sure) and one for the VLAN adresses (192.168.20.0/24). Both for any port and any protocol. Is something else needed there ?
Considering this is basically the same setup used by my "normal" internet. Is there some issue with UDP and VLAN I should be aware of ?
I might have to try it without a VLAN… That will require so work to try that (passing the cable)...
-
I might have to try it without a VLAN… That will require so work to try that (passing the cable)...
Well… not a VLAN issue. Same behavior using a dedicated LAN port. :'(
-
If it is not arriving on the OpenVPN interface from the ISP/VPN Provider there is NOTHING on the firewall you can do to fix it. They are not sending the traffic to you in the first place. Fix that.
Outbound NAT has nothing to do with inbound port forwards.
https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting
-
If it is not arriving on the OpenVPN interface from the ISP/VPN Provider there is NOTHING on the firewall you can do to fix it. They are not sending the traffic to you in the first place. Fix that.
Outbound NAT has nothing to do with inbound port forwards.
https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting
As far as I can tell, like you can see from my packet capture, the issue is with outbound UDP. Outbound packets never reach the VPN's WAN only the LAN/VLAN (and die there, never being router to the WAN).
-
Then your policy routing/rules are wrong on VLAN_13_AIRVPN.
What you posted before looks right but if it was right it would be working.
How about screen shots instead of what you sent before.
Any logged firewall blocks when you try it?
-
Here are, attached, the NAT rules for the VPN and the port forwarding rule. Tell me if you want to see something else.
I haven't seen anything about the 192.168.20.125 in Status/System/Logs/System/General, Status/System/Logs/System/Routing and Status/System/Logs/Firewall/Dynamic View. Is this where I'm suppose to look ? Must I change something log wise ?
-
I found a way to test udp using Packet Sender (https://packetsender.com/) on the local computer and a remote computer (outside my network). One computer sends a udp packet and the other receives it and reply.
I found 2 things:
Remote computer -> pfSense -> Local computer (192.168.20.125): It works ! The port forwarding actually works ! I even get a reply (no clue how that's possible) since…
Local computer (192.168.20.125) -> pfSense -> Remote computer: Fails, pfSense never seeds the packet to the VPN.So, it's not a port forwarding issue. I'm guessing it's a NAT issue or a routing issue (is there a difference ?).
Not quite sure what to do about that... Not even sure this is related to OpenVPN... Should I start an other threat ?