Gateway firewall rule not applying to some traffic

  • I have a interesting issue with the gateway firewall rule option not applying to some traffic.

    Some backround on the setup - I have two pfSense routers connected together through a OpenVPN tunnel, routed mode. The core end is on, and the remote side is on The core end has multiple static IPs associated with it through IP aliases, and then 1:1 NAT rules from each static IP to an internal IP on the (remote) subnet. The interface attached to the OpenVPN tunnel is named OVPN.

    I have a firewall rule for the device with the static IP with the OVPN_VPNV4 gateway on the remote pfSense router, on the LAN table. This is supposed to send all traffic originating from the device with the static IP out the OpenVPN tunnel.

    If I try to access one of the static IPs, this is what I get looking at the OVPN interface on the remote side:

    12:22:11.309438 IP > tcp 0
    12:22:11.319933 IP > tcp 0
    12:22:12.305938 IP > tcp 0
    12:22:12.318125 IP > tcp 0
    12:22:14.309732 IP > tcp 0
    12:22:14.322105 IP > tcp 0

    Wireshark on the destination server also confirms that those packets are getting to the server. However, there are no packets returning to the core over this tunnel.

    Looking at the LAN interface on the remote side:

    12:24:40.437243 IP > tcp 0
    12:24:40.438803 IP > tcp 0
    12:24:40.440643 IP > tcp 0
    12:24:40.442206 IP > tcp 0
    12:24:41.433608 IP > tcp 0
    12:24:41.437794 IP > tcp 0
    12:24:43.429357 IP > tcp 0
    12:24:43.437798 IP > tcp 0
    12:24:43.439312 IP > tcp 0
    12:24:43.442284 IP > tcp 0

    Here, the packets that the server are putting out are visible as well.

    Now, here is where things get interesting…
    Looking at the WAN interface on the remote side:

    12:27:52.819181 IP > tcp 0
    12:27:55.821165 IP > tcp 0

    For some reason, these packets are going out the WAN interface, not the OpenVPN tunnel.

    Now, here is where things get REALLY interesting...
    If I make a connection from the server with the associated firewall rule, this is what I see on the OVPN interface on the remote side:

    12:31:43.297100 IP > tcp 0
    12:31:43.297613 IP > tcp 0
    12:31:43.360256 IP > tcp 0
    12:31:43.360446 IP > tcp 0
    12:31:43.360521 IP > tcp 0
    12:31:43.360637 IP > tcp 0
    12:31:43.361139 IP > tcp 402
    12:31:43.421463 IP > tcp 0
    12:31:43.421607 IP > tcp 403
    12:31:43.423199 IP > tcp 0
    12:31:43.461909 IP > tcp 323
    12:31:43.480867 IP > tcp 0
    12:31:43.524600 IP > tcp 0
    12:31:43.524722 IP > tcp 402
    12:31:43.526124 IP > tcp 0
    12:31:43.584187 IP > tcp 0

    Doing that, I am able to establish a connection just fine and all associated traffic passes through the OpenVPN tunnel (matching the firewall rule in order to do this).

    And if I look at the WAN interface at the remote side when I do this, there are no packets from this device.

    Both sides ran 2.2.6, but I updated the remote side to 2.3.2 just to rule out a problem with the 2.2.6 version. The problem still persisted after this update.

    Any ideas?

  • Netgate

    What you really need is reply-to on the remote side with the actual network. If there is an assigned interface on that side it should be automatic. This will direct reply traffic back out the interface it came in on. You don't want to use policy routing for that (it won't work) and it should be removed.

    You probably have rules matching the traffic on the OpenVPN tab instead of or in addition to the OVPN interface tab. Interface groups are processed first (Which is what the OpenVPN tab is under the hood), first match wins, and there is no reply-to possible there.

    See this example. SSH with a port translation but the same thing you are trying to do:

    Everything should be the same on 2.3.2. Now you're upgraded so that's a bonus. ;)

  • That worked!

    I did in fact have an allow any/any rule on the OpenVPN rules tab, as well as the OVPN tab. Removed that rule on the OpenVPN tab, and changed the rule on the OVPN tab for TCP/80 and a destination IP of Also removed the rule in the LAN tab with the gateway manually assigned.

    I can now get to that device through the external IP.

    Thank you very much!