A bug or a newb? NAT Port forwarding issue



  • Just kidding!

    I have a problem and I have no idea what rule I am missing to get it to work. I am using the latest version of pfSense nano.

    My setup is simple. I have a WAN, I have a VPN and I have a static DHCP for my host. I punched a hole on the VPN so that I could forward a port to my host on my LAN. I then went ahead and made a port forwarding NAT/RULE.

    The problem I am having is this:

    When my default gateway is the WAN interface, any traffic that comes in from the VPN to my host is then sent back through the WAN.

    Now, if I change the default gateway to be the VPN, all is peachy.

    Is this normal behaviour and if so, what am I missing to keep the WAN as the DG but still be able to port forward from the VPN?

    Many thanks!

    This is a followup of this post: https://forum.pfsense.org/index.php?topic=120661.0


  • Netgate

    Assign an interface to your OpenVPN instance so connections coming in from the VPN get set with reply-to.

    Then make sure the incoming connections are not being passed by rules on the OpenVPN tab but by rules on the OpenVPN assigned interface tab.

    Traffic is matched first for interface groups (like the OpenVPN tab) and then for specific interfaces (Assigned interface).

    Traffic passed by group tabs do not get reply-to so reply traffic will go out the default gateway instead.



  • Hi,

    Thank you for your advice. I'm adding a few screen shots because I believe the setup you describe is what I already have setup. Feel free to let me know if I got it all wrong. ;)

    Let me know what you think.







  • Netgate

    What rules are on the OpenVPN Tab?



  • That's just me attempting to setup a VPN Server through the WAN rather than the "VPN Client" we are talking about.

    Do you think it is at fault? I've attached a screen shot of the rule. That is the only rule I have for it as of now.





  • Netgate

    Like I said in my first response, the rules on the OpenVPN tab cannot match the traffic you want to pass. That rule matches everything. Disable or delete it.



  • You well your crown well!

    Thank you for your time. It's a great forum and you guys show a lot of patience with us newbs… who knew, it wasn't a bug after all! ;)


  • Netgate

    You do not need a gateway on this rule either:

    Kind of surprised it's working that way.



  • Now I have a couple more questions but they stay related to the topic so I hope you won't mind.

    1. If I should not hardcode the GW (which I did during a test and clearly forgot to remove), should I set it back to '*' which points to default which is the WAN interface?

    2. If traffic comes in on Interface AVPN_NL, am I wrong in thinking the outgoing rule should be in Firewall > Rules > AVLN_NL? What is "Open_VPN" if not an interface? I am confused.


  • Netgate

    @eco:

    Now I have a couple more questions but they stay related to the topic so I hope you won't mind.

    1. If I should not hardcode the GW (which I did during a test and clearly forgot to remove), should I set it back to '*' which points to default which is the WAN interface?

    Actually setting the gateway to "default" means use the routing table. There is a route for your destination on LAN so that is where the traffic will go. If there is no route in the firewall for the destination, the default gateway is used.

    1. If traffic comes in on Interface AVPN_NL, am I wrong in thinking the outgoing rule should be in Firewall > Rules > AVLN_NL? What is "Open_VPN" if not an interface? I am confused.

    The OpenVPN tab is an interface group. It sees traffic coming in from all openvpn instances. All clients and all servers. Rules there govern what connections FROM those other sites are allowed into the firewall.

    Rules on assigned interfaces govern what connections are allowed IN from the other side of that specific OpenVPN instance.

    When traffic comes in it first goes through Floating Rules, then interface group rules, then interface rules.

    https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order



  • Cristal clear!

    Thank you very much for the time you took to resolve my problem and point me to the proper documentation.