Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Problem port forwarding OpenVPN

    Scheduled Pinned Locked Moved NAT
    11 Posts 2 Posters 2.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bimmerdriver
      last edited by

      I'm trying to set up an openvpn client and server. I have two LANs with separate WAN connections. The client is in one LAN and the server is in the other. I set up a rule to port forward the incoming connection to the pc running the server. It's not working, because the incoming port number is a random number. It keeps getting blocked by the firewall. I have the client configured with lport 1194 and bind. I verified using netstat -anon udp on the the client that it's using port 1194. Despite this, the incoming port is a random number which changes each time the client restarts after failing to connect. I don't understand why this is happening. Is pfsense on the client network re-mapping the port? If so why and how can I stop this from happening so the port forwarding rule will work?

      1 Reply Last reply Reply Quote 0
      • B
        bimmerdriver
        last edited by

        Anyone? I'm really stumped by this.

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          I don't get why you are messing about with the local port on the client. Do you have a source port set on your NAT rule on the server side or something?

          That is almost never correct. Source port should be left blank.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • B
            bimmerdriver
            last edited by

            I'm trying to set up a port forwarding rule so the client will reach the server. It's getting blocked, presumably because the port number keeps changing.

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              That's why the source port on your port forward needs to be any.

              Specify the source port or port range for this rule. This is usually random and almost never equal to the destination port range (and should usually be 'any'). The 'to' field may be left empty if only filtering a single port.

              https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense

              https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • B
                bimmerdriver
                last edited by

                @Derelict:

                That's why the source port on your port forward needs to be any.

                Specify the source port or port range for this rule. This is usually random and almost never equal to the destination port range (and should usually be 'any'). The 'to' field may be left empty if only filtering a single port.

                https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense

                https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

                Okay, I have not set the source port. The rule is configured similarly to other port forwarding rules which are working. The destination is WAN with the destination port range being "openvpn" The redirect target ip and port is the ip address of the particular host and "openvpn. As I said, I have other port forwarding rules configured and they are working. In the case of this rule, it's being blocked by the firewall.

                1 Reply Last reply Reply Quote 0
                • B
                  bimmerdriver
                  last edited by

                  I noticed another thread called Source port rewriting, https://forum.pfsense.org/index.php?topic=118458.0. This sounds like the cause of the problem.

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    The source port of an OpenVPN client connection does not matter! (Unless the rule on the server says it matters, which is not the default and not the way it should be configured.)

                    Post the firewall rule, the port forward, and the logs showing it being blocked.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • B
                      bimmerdriver
                      last edited by

                      Here are some screen captures.

                      The incoming port number changes every time the client restarts after failing to connect.

                      ![firewall log.PNG](/public/imported_attachments/1/firewall log.PNG)
                      ![firewall log.PNG_thumb](/public/imported_attachments/1/firewall log.PNG_thumb)
                      ![firewall rule.PNG](/public/imported_attachments/1/firewall rule.PNG)
                      ![firewall rule.PNG_thumb](/public/imported_attachments/1/firewall rule.PNG_thumb)
                      ![firewall rule 2.PNG](/public/imported_attachments/1/firewall rule 2.PNG)
                      ![firewall rule 2.PNG_thumb](/public/imported_attachments/1/firewall rule 2.PNG_thumb)
                      ![NAT rule.PNG](/public/imported_attachments/1/NAT rule.PNG)
                      ![NAT rule.PNG_thumb](/public/imported_attachments/1/NAT rule.PNG_thumb)
                      ![redirect rule.PNG](/public/imported_attachments/1/redirect rule.PNG)
                      ![redirect rule.PNG_thumb](/public/imported_attachments/1/redirect rule.PNG_thumb)

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        Dude, your firewall rule is disabled. That's why it's grayed out / translucent. Uncheck the Disable this rule checkbox.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • B
                          bimmerdriver
                          last edited by

                          @Derelict:

                          Dude, your firewall rule is disabled. That's why it's grayed out / translucent. Uncheck the Disable this rule checkbox.

                          ARRRGGGGHHH! That was the problem. I thought it was grayed out because it was automatically created.

                          Thanks!

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.