VPN port forwarding.



  • Hello,

    First of all let me say im far from completely knowledgeable in networking so if you decide to help me you will probly need to "ELI5".

    I have had a pfsense box running for atleast 2 years now and im loving every second i could never go back to a "normal" router/firewall again.
    Had ports forwarded and the network setup just the way i want it and it hasent missed a beat.

    Now the other day i decided for reasons to get a really nice VPN service so i have have now from a company that allows port forwarding and unlimited speed etc and
    they even had a very detailed guide on how to set it all up on every kind of device under the sun including pfsense.
    Followed the guide and it fired right up and everything works perfectly, except for port forwarding.

    So i want to have lets say 51200 for my transmission service that is running on a freebsd machine on my network, so i opened the port on tcp/udp from the VPN service website.
    also edited the NAT portforward  i had for 51200 that worked earlier without the vpn and changed it to "IF OPT1" from "IF WAN" like it was earlier.
    And now external sites like "canyouseeme" etc can indeed see my service and finds the port open.

    However transmission is still saying the port is closed and i get no connection to the tracker.
    I have been looking at the states of the machine and that port.
    And i keep seeting things like this

    OPT1 udp TRANSMISSIONHOST:51200 (VPNGATEWAY:51200) <- EXTERNALIP:18527 NO_TRAFFIC:SINGLE
    LAN udp EXTERNALIP:18527 -> TRANSMISSIONHOST:51200 SINGLE:NO_TRAFFIC

    Not sure exactly what this means but i figured it might help.
    I would appritate any insight anyone has, if i can provide more information if u decide to help me dont hesitate to ask.

    Best Regards.





  • @KOM:

    https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense

    https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

    Post your NAT rules and WAN firewall rules.

    Yes i have been eyeballing those documents for what seems hours and gone through alot of posts that seems to be similar problems.
    But either that dosen't help me or i don't completely understand it all and i suspect its probably both.

    screenshotted all the things hope it helps.










  • This looks a little messed up.  You can't forward from OPT1 unless OPT1 is also a WAN.  You have to forward from WAN to whatever address your server uses.  You talk about wanting to forward 51200 but I don't see any NATs for that, only 51765.  You don't have any firewall rule on WAN to allow the forward to work.  Unless you have twiddled something, that corresponding firewall rule is automatically created.  Yours is missing.

    1.  Change your NAT rule so that Dest addr is WAN address, not OPT1 address
    2.  Change Dest ports and NAT ports to 51200
    3.  Add a firewall WAN pass rule:
    Proto IPv4 TCP/UDP
    Source *
    Port *
    Destination IP_of_your_server
    Port 51200
    Gateway *
    Queue none



  • @KOM:

    This looks a little messed up.  You can't forward from OPT1 unless OPT1 is also a WAN.  You have to forward from WAN to whatever address your server uses.  You talk about wanting to forward 51200 but I don't see any NATs for that, only 51765.  You don't have any firewall rule on WAN to allow the forward to work.  Unless you have twiddled something, that corresponding firewall rule is automatically created.  Yours is missing.

    1.  Change your NAT rule so that Dest addr is WAN address, not OPT1 address
    2.  Change Dest ports and NAT ports to 51200
    3.  Add a firewall WAN pass rule:
    Proto IPv4 TCP/UDP
    Source *
    Port *
    Destination IP_of_your_server
    Port 51200
    Gateway *
    Queue none

    Yeah im sorry for the confusion i changed the port to a higher number just to try something.
    Had no real luck with your changes it completly got me hidden on the service from the outside.
    But i removed basically all the nat rules and everything thats not necessary so i could get a fresh start.
    Could you please list what i would need? so can i try with the minimalist thing without any of my clowny changes blocking things.

    Details

    • OPT1 is configured as the VPN interface its hosted by another company in my country they have a control panel on their website where you can open ports at your will and i have 51765 open.
    • Transmission is running on a FreeBSD jail on 192.168.1.202 listening on 51765

    If it helps this is the guide i was following, wich is from the VPN hosting company.
    https://www.ovpn.se/en/guides/pfsense

    EDIT: gave up on getting this to work and decided to try to get the VPN working on the transmission machine instead and ran into the problem that DNS dident resolve properly.
    and came across a thread that said jails dont update the global dns automaticly they will still have the same one as when they where created.
    and i did change to my VPN service DNS when i did the thing on the pfsense router.
    so the router had one pair of dns servers, and my transmission jail had another pair.

    Do you think this might be the cause of my problem?



  • No idea about that as I'm not a FreeBSD guy.  If you want to go back to the OpenVPN config I can try to help you further but I've never done what you're looking to do.


  • Netgate

    When you test from your inside host it is connecting out WAN so that is the IP address it will be testing.

    You need to create a rule on LAN that policy routes that test traffic out OPT1 so that is the interface the test is done on.