Route only certain port traffic via Site-Site OpenVPN



  • I have a scenario that needs some help.

    A Site to Site VPN as been established in the lab.

    Site A -> 10.10.0.1/24
    Site B -> 172.16.0.1/24

    Site B has public IP of lets say 99.99.99.99

    We want only port 25 (mail) traffic from site A (10.10.0.15) to be pass-through to Site B using 99.99.99.99

    Incoming port 25 traffic on Site B public shall redirect to Site A 10.10.0.15.

    What is the best way for this implementation?


  • Rebel Alliance Global Moderator

    Huh??

    So you have some email server in site A.. 10.10.0.15.. And you want to send over the internet to the site B public IP just to get sent back to itself?

    At a complete loss to what your wanting to accomplish here..


  • Rebel Alliance Developer Netgate

    So you have an Internet connection at site B and you want to port forward 99.99.99.99:25 to 10.10.0.15 (and vice versa)

    There are a few things you need to do in order to make something like that work.

    1. Assign the OpenVPN interface on both sides (assign it, enable w/IP types = none, give it a name, save/apply, edit/save VPN)
    2. Move the OpenVPN firewall rules from the OpenVPN tab to the tab for the assigned interface(s) for the VPN(s). If you have multiple/other VPNs, change the OpenVPN tab rules so they cannot match this traffic. If there were no OpenVPN rules, add rules to the assigned interface tab(s).
    3. Setup the port forward on Site B as usual, with teh 10.10.0.15 target
    4. On Site A, add a rule to match a source of 10.10.0.15 to a destination of any w/dst port 25, set gateway to be the OpenVPN gateway for the assigned interface



  • I feel more info is needed here such as what do you want to happen to the email once it hits the remote subnet?  What is the LAN subnet of Site B?  If you are trying to route smtp traffic from Site A over the vpn tunnel to Site B and out Site B's WAN for reverse dns purposes or something then you will need routes in the firewall at Site B as well as some static return routes in Site A's firewall.  That will get complicated.  BUT.. If you are just trying to route mail to a relay that sits in Site B then see below.  Let's say Site B's subnet is 192.168.1.0/24

    You need a Policy Rule (aka policy route)

    All you need to do is assign an interface to your openvpn server in Site A.  In my example it is OPT2.  Then go to System/Routing/Gateways and create a new gateway and select the interface you assigned to OpenVPN. Leave it as dynamic dynamic. Name it OpenVPN. (or whatever you want) IMNPORTANT: expand advanced options and tick the box for the use non-local gateway option.    Then go to Firewall/Rules/LAN. Create a TOP level rule above your default lan to any rule or any other rules you have.  Set it to TCP protocol, LAN net port 25 as the source, destination to the LAN SUBNET or the IP of the relay you are routing to and select the gateway you created as the gateway.  This of course hinges on the fact that you should already have a route from 10.10.0.0/24 to 192.168.1.0/24 using the OpenVpn gateway address of 172.16.0.1 See the attached screenshot for what the rule would look like after you create it.

    As long as your site to site tunnel is proper you should see a route in your Site A firewall under Diagnostics/Routes that looks like this:

    Destination           Gateway         Flags   Use Mtu         Netif    Expire

    192.168.1.0/24 172.16.0.1      UGS       9182747 1500 ovpns1




  • Thank you guys.

    so here is the issue.

    Just to recap:
    Site A -> 10.10.0.1/24    /    OPTVPN 172.16.0.1
    Site B -> 172.16.0.1/24 / OPTVPN (Client) 172.16.0.2 / External IP 99.99.99.99
    (NO LAN ON SITE B. STRICT FIREWALL/GW)

    I need Site A STMP (port 25) traffic to be routed thru external IP of 99.99.99.99
    10.10.0.15 -> VPN -> 99.99.99.99 -> Internet

    I have Site-to-Site with site A being the server and site B client as listed above.

    I have no problem routing inbound internet traffic -> 99.99.99.99:STMP to 10.10.0.15

    But am having issue going from 10.10.0.15:SMTP -> Internet via 99.99.99.99

    Under LAN of Site A. I tried setting rule: SRC * DST * DSTPort 25 GW OPTVPN
    and also SRC Port 25 DST * DSTPort * GW OPTVPN

    Doesnt seem to be routing our properly.

    Please help me out here


  • Netgate

    Under LAN of Site A. I tried setting rule: SRC * DST * DSTPort 25 GW OPTVPN

    That looks reasonable.

    and also SRC Port 25 DST * DSTPort * GW OPTVPN

    Setting a source port is almost never right, and is certainly not right in this case.

    I have no problem routing inbound internet traffic -> 99.99.99.99:STMP to 10.10.0.15

    So if that is the case, you want to check:
    The rules on the OpenVPN tab/interface at Site B to be sure the traffic is allowed from site A (10.10.0.15) to any
    You have outbound NAT in place on WAN at site B for the 10.10.0.15 source address. That is also where you would specify 99.99.99.99 as the source address if there is more than one choice.