Routing traffic thro OpenVPN tunnel



  • DISCLAIMER: I'm a n00b to pfSense

    I have a NVR at a remote side on 192.168.3.0/24. my pFsense is on 192.168.11.0/24 network. I was able to configure a StaticKey Site to site VPN & able to see devices on both side within the network.

    I have a NVR on the remote side listening on 8000, 8088 etc.

    I tried to set up a Port forward in Firewall Rules to route all traffic on WAN (192.168.11.0 side) with port 8000 to the remote side 192.1658.3.100 . Not sure if this is the right way to do, but obviously it doesnt work.

    Any ideas as to how this can be made to work?

    did a dirty paintshop pic as to what i want to do.

    i had this setup on my router using tinc & iptables (here's a sample)

    iptables -A wanin -d 192.168.3.100/32 -p tcp -m tcp –dport 8000 -j ACCEPT
    iptables -t nat -A WANPREROUTING -p tcp -m tcp --dport 8000 -j DNAT --to-destination 192.168.3.100:8000
    iptables -t nat -A POSTROUTING -d 192.168.3.100/32 -p tcp -m tcp --dport 8000 -o tinc -j SNAT --to 192.168.11.1

    How do i configure this in pFsense?




  • What you're missing here is an outbound NAT rule (SNAT, the last one of the iptables rules).

    You have to set this in Firewall > NAT > Outbound.
    The rule generation mode has to be set to automatic or hybrid and saved. Then add a new rule with interface=OpenVPN, destination=192.168.3.0/24, translation=interface address.



  • thanks

    do i still have to specify any Port Forward Rules ?

    I want to forward www.foo.com:8088 to 192.168.3.100:8088



  • Yes, the port forwarding is DNAT.
    You need a rule for any port or any port range you want to forward to the other site.

    However, you don't need additional outbound NAT rules for other port forwardings.



  • sorry, i'm really new to this. so please let me know if this is ok

    I've attached screen shots. With this, accessing www.foo.com:8088 doesnt work

    1. Setup Outbound in OpenVPN
    2. Setup a Port forward for 8088 to go to 192.168.3.50 IP
    3. Setup Firewall Rule










  • In the port forwarding rule the destination is any. I've never set up a rule with this. Try Wan address instead.



  • tried but no luck, thanks anyway


  • LAYER 8 Netgate

    You need an OpenVPN assigned interface at the 192.168.3 side.

    Then you need to make sure the rules passing traffic into that firewall do not match on the OpenVPN tab but instead match on the assigned interface tab.

    That will give you the reply-to functionality that will prevent reply traffic from being sent out the default gateway at that end, instead routing it back through the OpenVPN tunnel.

    https://forum.pfsense.org/index.php?topic=82732.msg453269#msg453269



  • For a n00b like me, this is a bit complicated. sorry about that

    i have a tomato shibby running on the 192.168.3.0 side.

    Can you please help me and explain what do you mean by "You need an OpenVPN assigned interface at the 192.168.3 side"?

    i will however go thro your link. i guess you are assuming that i have another pfsense on the other end too?

    PS: I earlier had this entire setup working with 2 tomato shibby's on either end & connected these 2 over tinc. all i had to do was add some iptables into the tinc & it worked great. these are the ip tables i had

    iptables -A wanin -d 192.168.3.50/32 -p tcp -m tcp –dport 8088 -j ACCEPT
    iptables -t nat -A WANPREROUTING -p tcp -m tcp --dport 8088 -j DNAT --to-destination 192.168.3.50:8088
    iptables -t nat -A POSTROUTING -d 192.168.3.50/32 -p tcp -m tcp --dport 8088 -o tinc -j SNAT --to 192.168.11.1

    PS2: The 192.168.3.0 network is behind a double NAT. The ISP provides only a natted IP & not a public one. So i set up a OpenVPN Site to Site Tunnel with the server running on pfsense with Public IP at home & OpenVPN client connecting to it.


  • LAYER 8 Netgate

    Pointed you to a recipe in that other post for exactly what you want to do. Not really interested in what worked in iptables since that is pretty much irrelevant in pfSense.

    If tomato worked for you why not just run that?



  • i could go back to tomato but wanted to have a more secure setup on one end.

    thank you for your help anyway. was looking for a more stepbystep idea.

    i mentioned iptables just as a reference..


Log in to reply