Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    port forwarding fails when OpenVPN enabled on destination PC

    Scheduled Pinned Locked Moved NAT
    2 Posts 2 Posters 298 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H Offline
      helms
      last edited by helms

      Hello.

      I've configured my home cable modem in bridged mode.
      using pfsense as my firewall/router/NAT...etc.
      I added a NAT rule using the instructions in the pfsense guides to route zoneminder traffic via port 9091 on my WAN side to a 192.168.x.y PC on the LAN side...basically, so I could view remote camera feeds.
      All works very well until I start OpenVPN clien on the Ubuntu 18.04 PC that is also running the zoneminder server.
      I see the traffic coming into the box via pfsensed NAT'd traffic, but I don't see it being sent back out. Nor do I see it being sent out the tun0 device that is configured by OpenVPN.
      I think the issue is a local routing issue on the Ubuntu PC, which now has has a default route out the OpenVPN tun0 interface which has no knowledge of the previously NAT'd ingress connection.

      I can move the vpn connection to pfsense but I'd rather not due to latency/throughput issue(s).
      I can move the zoneminder app, and any other NAT'd connections, to another PC I guess but that's less elegant.

      Any other suggestions or thoughts?
      thanks!

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by Derelict

        The OpenVPN server your ubuntu is connecting to is probably sending a default route def1 to the client so reply traffic to the connection attempts is going out the client's VPN connection.

        If so it's not a pfSense problem that can be fixed there, it's an OpenVPN client connection and routing table problem on the ubuntu machine. You could probably use outbound NAT on the inside interface to make connections to the zoneminder server appear to that machine to be coming from the pfSense interface address. Replies would then be same-subnet so the route back would work.

        Look at the routing table on the ubuntu machine when the VPN is connected and when it isn't. I believe netstat -rn should work there.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.