NAT Port forward routed out through the wrong interface



  • Hi guys,

    I have re-written my rules a couple of times and keep hitting the same wall (no pun intended). I setup a port forward from my VPN connection(s) and it returns the traffic through my WAN interface.

    So what is happening in short is this:

    internet -> VPN -> firewall -> host -> firewall -> WAN
    

    rather than:

    internet -> VPN -> firewall -> host -> firewall -> VPN
    

    I have attached a copy of my rules to spare you the agony of my setup described in English.

    That said, I did read a few posts and I think I got the basics by creating a NAT forwarding rule and have pfSense create the VPN rule.

    I have a bit of experience with Linux iptables but am completely confused about the flow of pfSense. tcpdump could only confirm that the traffic was routed back out to my WAN but I can not figure out what I am doing wrong.

    Any pointers are welcome.

    Thank you all.

    ps: I'm seeing a lot of screenshots… if they are preferred, let me know and I'll adapt...
    rules.txt



  • What is at the remote end of the VPN tunnel, a single computer or a LAN of multiple machines? If it's multiple machines on LAN that need access to the local end of the tunnel you have to tell pfSense the route back to LAN on the remote end with the iroute directive in client specific configuration in the OpenVPN server config. By default pfSense only knows how to reach only the single connected OpenVPN client system, it won't know how to reach the remote LAN unless told explicitly how.



  • Hi kpa, thanks for taking the time.

    The VPN is managed by AirVPN. I believe it's a single box. The port is open from the AirVPN web interface on their side. On my side, I did the port forwarding to a single box.

    Let me know if you need more info.



  • Sorry, disregard my first reply. You seem to be using the VPN as a second WAN connection is that right? Is the VPN set up as the default gateway when it's up?



  • What I am trying to do (keeping in mind I am no network guru), is have some kind of privacy at home.

    So, I got AirVPN, setup all three VPN connections for redundancy and made them as separate WAN connections to route my traffic away from my provider and encrypt it on the way. Setting the VPN as a default gateway was an attempt to see if that would force the traffic out through a VPN connection and solve my problem. It was also to make sure all traffic, by default, went through the VPN.

    It's close to 2AM so I'm signing out but thanks for your help. I'd love to know what I'm doing wrong. The firewall is still extremely basic and already I'm asking for help… :\

    Thanks again.



  • You do need the default gateway set to the VPN connection, otherwise you would have to handpick traffic for the VPN by what is known as "policy routing" and that's an advanced concept and probably not what you want to do. I'd guess what you're also missing is outbound NAT for the VPN connection. This tutorial should be suitable for your case although it was written for a different VPN provider:

    https://forum.pfsense.org/index.php?topic=76015.0



  • I'll read the tutorial and if all fails, start from scratch and make sure each rule works before moving to the next…

    Thanks a lot for your help.



  • Hi all, long time PFSense user here but first time poster.

    Was wondering if OP ever found out the issue? I have spent over a day trying to figure this out and no luck.
    Web browsing and HTTP traffic, say if i visit a website, is routed to and from correctly. So I guess regular NAT seems to be working just fine. I can verify this with packet capture. Also site such as wtfismy ip say the IP is correct (the VPN WAN IP address)
    As an example, visiting a webpage. Capture of the VPN WAN adapter

    19:57:19.770803 IP 64.74.232.52.80 > 10.7.xx.x.35405: tcp 262
    19:57:19.771131 IP 10.7.xx.x.35405 > 64.74.232.52.80: tcp 0
    

    The issue comes to when I have forwarded one port. I can see traffic come into the VPN interface at that port, forwarded to the correct IP address. I can view the packets incoming and replied to via tcpdump in linux. The software listening on that port then replies to the source address as expected. I then can follow the traffic out the wrong gateway.

    VPN Adapter

    19:59:46.077592 IP 198.199.98.246.46331 > 10.7.xx.x.58993: tcp 0
    19:59:47.076715 IP 198.199.98.246.46331 > 10.7.xx.x.58993: tcp 0
    19:59:47.080769 IP 198.199.98.246.46334 > 10.7.xx.x.58993: tcp 0
    

    Destiniation host simultaneously

    20:00:31.559648 IP 198.199.98.246.46466 > 192.168.xx.xxx.58993: tcp 0
    20:00:31.559781 IP 192.168.xx.xxx.58993 > 198.199.98.246.46466: tcp 0
    20:00:32.556562 IP 192.168.xx.xxx.58993 > 198.199.98.246.46466: tcp 0
    20:00:32.556785 IP 198.199.98.246.46466 > 192.168.xx.xxx.58993: tcp 0
    20:00:32.556849 IP 192.168.xx.xxx.58993 > 198.199.98.246.46466: tcp 0
    20:00:32.563025 IP 198.199.98.246.46473 > 192.168.xx.xxx.58993: tcp 0
    20:00:32.563063 IP 192.168.xx.xxx.58993 > 198.199.98.246.46473: tcp 0
    

    And then out the wrong WAN adapter

    I have no idea why this is happening, especially since it just seems to be replies to queries on this port! I have outbound NAT configured correctly I think.

    Any ideas?



  • Attached are snippets of my setup. Outbound auto nat seems to be working. Just seems to be port forward NAT

    ![2017-09-20 15_41_47-Helm - Firewall_ NAT_ Port Forward.png](/public/imported_attachments/1/2017-09-20 15_41_47-Helm - Firewall_ NAT_ Port Forward.png)
    ![2017-09-20 15_08_05-Helm - Firewall_ NAT_ Outbound.png_thumb](/public/imported_attachments/1/2017-09-20 15_08_05-Helm - Firewall_ NAT_ Outbound.png_thumb)
    ![2017-09-20 15_08_05-Helm - Firewall_ NAT_ Outbound.png](/public/imported_attachments/1/2017-09-20 15_08_05-Helm - Firewall_ NAT_ Outbound.png)
    ![2017-09-20 15_09_44-Helm - System_ Routing_ Gateways.png_thumb](/public/imported_attachments/1/2017-09-20 15_09_44-Helm - System_ Routing_ Gateways.png_thumb)
    ![2017-09-20 15_09_44-Helm - System_ Routing_ Gateways.png](/public/imported_attachments/1/2017-09-20 15_09_44-Helm - System_ Routing_ Gateways.png)
    ![2017-09-20 15_10_07-Helm - Firewall_ Rules_ PIADOWNLINKS.png_thumb](/public/imported_attachments/1/2017-09-20 15_10_07-Helm - Firewall_ Rules_ PIADOWNLINKS.png_thumb)
    ![2017-09-20 15_10_07-Helm - Firewall_ Rules_ PIADOWNLINKS.png](/public/imported_attachments/1/2017-09-20 15_10_07-Helm - Firewall_ Rules_ PIADOWNLINKS.png)
    ![2017-09-20 15_12_35-Helm - Interfaces_ Interface Assignments.png_thumb](/public/imported_attachments/1/2017-09-20 15_12_35-Helm - Interfaces_ Interface Assignments.png_thumb)
    ![2017-09-20 15_12_35-Helm - Interfaces_ Interface Assignments.png](/public/imported_attachments/1/2017-09-20 15_12_35-Helm - Interfaces_ Interface Assignments.png)
    ![2017-09-20 15_41_47-Helm - Firewall_ NAT_ Port Forward.png_thumb](/public/imported_attachments/1/2017-09-20 15_41_47-Helm - Firewall_ NAT_ Port Forward.png_thumb)