NAT Port forward routed out through the wrong interface
-
Hi guys,
I have re-written my rules a couple of times and keep hitting the same wall (no pun intended). I setup a port forward from my VPN connection(s) and it returns the traffic through my WAN interface.
So what is happening in short is this:
internet -> VPN -> firewall -> host -> firewall -> WAN
rather than:
internet -> VPN -> firewall -> host -> firewall -> VPN
I have attached a copy of my rules to spare you the agony of my setup described in English.
That said, I did read a few posts and I think I got the basics by creating a NAT forwarding rule and have pfSense create the VPN rule.
I have a bit of experience with Linux iptables but am completely confused about the flow of pfSense. tcpdump could only confirm that the traffic was routed back out to my WAN but I can not figure out what I am doing wrong.
Any pointers are welcome.
Thank you all.
ps: I'm seeing a lot of screenshots… if they are preferred, let me know and I'll adapt...
rules.txt -
What is at the remote end of the VPN tunnel, a single computer or a LAN of multiple machines? If it's multiple machines on LAN that need access to the local end of the tunnel you have to tell pfSense the route back to LAN on the remote end with the iroute directive in client specific configuration in the OpenVPN server config. By default pfSense only knows how to reach only the single connected OpenVPN client system, it won't know how to reach the remote LAN unless told explicitly how. -
Hi kpa, thanks for taking the time.
The VPN is managed by AirVPN. I believe it's a single box. The port is open from the AirVPN web interface on their side. On my side, I did the port forwarding to a single box.
Let me know if you need more info.
-
Sorry, disregard my first reply. You seem to be using the VPN as a second WAN connection is that right? Is the VPN set up as the default gateway when it's up?
-
What I am trying to do (keeping in mind I am no network guru), is have some kind of privacy at home.
So, I got AirVPN, setup all three VPN connections for redundancy and made them as separate WAN connections to route my traffic away from my provider and encrypt it on the way. Setting the VPN as a default gateway was an attempt to see if that would force the traffic out through a VPN connection and solve my problem. It was also to make sure all traffic, by default, went through the VPN.
It's close to 2AM so I'm signing out but thanks for your help. I'd love to know what I'm doing wrong. The firewall is still extremely basic and already I'm asking for help… :\
Thanks again.
-
You do need the default gateway set to the VPN connection, otherwise you would have to handpick traffic for the VPN by what is known as "policy routing" and that's an advanced concept and probably not what you want to do. I'd guess what you're also missing is outbound NAT for the VPN connection. This tutorial should be suitable for your case although it was written for a different VPN provider:
-
I'll read the tutorial and if all fails, start from scratch and make sure each rule works before moving to the next…
Thanks a lot for your help.
-
This post is deleted! -
This post is deleted!