Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unable to use forwarded port from VPN provider

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 2 Posters 471 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P Offline
      patlefort
      last edited by patlefort

      I am trying to make use of forwarded ports from my VPN provider. To be certain that the ports are being forwarded, I tested them on some linux machine and they work. I am unable to make it work on pfSense. I am able to connect to the port from my WAN so the rules work on the WAN but when I add rules for the VPN gateway interface it just doesn't. I have tried with OpenVPN and WireGuard. I've had this problem since 2.4 to the current version. I am using iperf3 to test. I have the following NAT rule:

      Interface: VPN_WG_MTR (that's the VPN client interface)
      Protocol: TCP/UDP
      Source Address/Port: Any
      Dest. Address: Any
      Dest. Port: 54941
      NAT IP: 127.0.0.1
      NAT Port: 54941

      I have an equivalent rule for IPv6. They both have an associated firewall rule to allow traffic but to test I also tried to allow all traffic. I have tried to open the port on VPN_WG_MTR to allow connections directly without NAT.

      Packet capture reveal that I am getting a connection attempt when I test the port:

      2425	2.147823	45.33.50.110	10.64.220.104	TCP	64	48492 → 54941 [SYN] Seq=0 Win=64240 Len=0 MSS=1380 SACK_PERM=1 TSval=2322012666 TSecr=0 WS=128

      Firewall shows no entry about blocking this connection.

      V 1 Reply Last reply Reply Quote 0
      • V Offline
        viragomann @patlefort
        last edited by

        @patlefort said in Unable to use forwarded port from VPN provider:

        I've had this problem since 2.4 to the current version.

        What is your current version? That will not work on CE 2.5.1.

        Ensure that there is no firewall pass rule on the OpenVPN tab matching the incoming traffic as well es no floating rule.
        A pass rule on the VPN_WG_MTR has to match the traffic. When in doubt, enable logging in the rule to investigate.

        P 1 Reply Last reply Reply Quote 0
        • P Offline
          patlefort @viragomann
          last edited by patlefort

          It suddenly starting working after changing the port being forwarded, which is not the first time that I change it. It never worked before and suddenly it does, with no changes to rules other than that port. I am dumbfounded. Could somehow all these ports conflicted with some already used source ports for outbound connections? This is on wireguard which is quite new, I'll have to retest on openvpn. I understand that they will forward a port to the latest client to connect to their vpn for openvpn and nobody else is using it as far as I am aware. I'll have to keep an eye on it.

          Edit: This is on version 2.5.2 CE.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.