Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    A bug or a newb? NAT Port forwarding issue

    Scheduled Pinned Locked Moved NAT
    11 Posts 2 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      eco
      last edited by

      Just kidding!

      I have a problem and I have no idea what rule I am missing to get it to work. I am using the latest version of pfSense nano.

      My setup is simple. I have a WAN, I have a VPN and I have a static DHCP for my host. I punched a hole on the VPN so that I could forward a port to my host on my LAN. I then went ahead and made a port forwarding NAT/RULE.

      The problem I am having is this:

      When my default gateway is the WAN interface, any traffic that comes in from the VPN to my host is then sent back through the WAN.

      Now, if I change the default gateway to be the VPN, all is peachy.

      Is this normal behaviour and if so, what am I missing to keep the WAN as the DG but still be able to port forward from the VPN?

      Many thanks!

      This is a followup of this post: https://forum.pfsense.org/index.php?topic=120661.0

      2.4.3-RELEASE (amd64)
      built on Mon Mar 26 18:02:04 CDT 2018
      FreeBSD 11.1-RELEASE-p7

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Assign an interface to your OpenVPN instance so connections coming in from the VPN get set with reply-to.

        Then make sure the incoming connections are not being passed by rules on the OpenVPN tab but by rules on the OpenVPN assigned interface tab.

        Traffic is matched first for interface groups (like the OpenVPN tab) and then for specific interfaces (Assigned interface).

        Traffic passed by group tabs do not get reply-to so reply traffic will go out the default gateway instead.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • E
          eco
          last edited by

          Hi,

          Thank you for your advice. I'm adding a few screen shots because I believe the setup you describe is what I already have setup. Feel free to let me know if I got it all wrong. ;)

          Let me know what you think.

          screenshot.png
          screenshot.png_thumb
          screenshot-1.png
          screenshot-1.png_thumb
          screenshot-2.png
          screenshot-2.png_thumb

          2.4.3-RELEASE (amd64)
          built on Mon Mar 26 18:02:04 CDT 2018
          FreeBSD 11.1-RELEASE-p7

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            What rules are on the OpenVPN Tab?

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • E
              eco
              last edited by

              That's just me attempting to setup a VPN Server through the WAN rather than the "VPN Client" we are talking about.

              Do you think it is at fault? I've attached a screen shot of the rule. That is the only rule I have for it as of now.

              screenshot-3.png
              screenshot-3.png_thumb
              screenshot-4.png
              screenshot-4.png_thumb

              2.4.3-RELEASE (amd64)
              built on Mon Mar 26 18:02:04 CDT 2018
              FreeBSD 11.1-RELEASE-p7

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Like I said in my first response, the rules on the OpenVPN tab cannot match the traffic you want to pass. That rule matches everything. Disable or delete it.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • E
                  eco
                  last edited by

                  You well your crown well!

                  Thank you for your time. It's a great forum and you guys show a lot of patience with us newbs… who knew, it wasn't a bug after all! ;)

                  2.4.3-RELEASE (amd64)
                  built on Mon Mar 26 18:02:04 CDT 2018
                  FreeBSD 11.1-RELEASE-p7

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    You do not need a gateway on this rule either:

                    Kind of surprised it's working that way.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • E
                      eco
                      last edited by

                      Now I have a couple more questions but they stay related to the topic so I hope you won't mind.

                      1. If I should not hardcode the GW (which I did during a test and clearly forgot to remove), should I set it back to '*' which points to default which is the WAN interface?

                      2. If traffic comes in on Interface AVPN_NL, am I wrong in thinking the outgoing rule should be in Firewall > Rules > AVLN_NL? What is "Open_VPN" if not an interface? I am confused.

                      2.4.3-RELEASE (amd64)
                      built on Mon Mar 26 18:02:04 CDT 2018
                      FreeBSD 11.1-RELEASE-p7

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        @eco:

                        Now I have a couple more questions but they stay related to the topic so I hope you won't mind.

                        1. If I should not hardcode the GW (which I did during a test and clearly forgot to remove), should I set it back to '*' which points to default which is the WAN interface?

                        Actually setting the gateway to "default" means use the routing table. There is a route for your destination on LAN so that is where the traffic will go. If there is no route in the firewall for the destination, the default gateway is used.

                        1. If traffic comes in on Interface AVPN_NL, am I wrong in thinking the outgoing rule should be in Firewall > Rules > AVLN_NL? What is "Open_VPN" if not an interface? I am confused.

                        The OpenVPN tab is an interface group. It sees traffic coming in from all openvpn instances. All clients and all servers. Rules there govern what connections FROM those other sites are allowed into the firewall.

                        Rules on assigned interfaces govern what connections are allowed IN from the other side of that specific OpenVPN instance.

                        When traffic comes in it first goes through Floating Rules, then interface group rules, then interface rules.

                        https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • E
                          eco
                          last edited by

                          Cristal clear!

                          Thank you very much for the time you took to resolve my problem and point me to the proper documentation.

                          2.4.3-RELEASE (amd64)
                          built on Mon Mar 26 18:02:04 CDT 2018
                          FreeBSD 11.1-RELEASE-p7

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.