Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Route OpenVPN Traffic to specific port

    Scheduled Pinned Locked Moved OpenVPN
    6 Posts 2 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      spm002
      last edited by

      Good evening, I have a little issue that I was wondering if anyone knew how to do.
      currently have a OpenVPN setup and everything routes through the IP 10.0.0.0/24
      I currently would like to know if its possible to forward port ranges and how would I go about doing that?
      For example id like to forward all source  Traffic on ports 4000-500  on the OpenVPN tunnel of 10.0.0.0/24 to get sent to lets say port 50 for example. Is there any way to do this?
      As i know with traditional port forwarding you can only port forward individual ports at a time, and it would not be logical to forward 1000 individual ports.

      Is there any way I could simply have a rule to catch all source traffic on the OpenVPN tunnel from ports 500-600 and forward them so it comes out at source port 50 instead. As I currently have a service that randomizes ports on connection and ranges from 500-600, so id like those ports to forward to port 50 for simplicity.
      I know its possible, Im just not too sure how to do it

      Any help is greatly appreciated, Thank You!

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        "so it comes out at source port 50 instead"

        What??  You do understand that source port is almost always "random" well not so much random but an ephemeral port above 1024..  If you change all the connections source port to 50, how exactly would anything talk back to it?

        With NAPT this source port is almost always changed even from what the application used..

        So for example talking to a website on port 80, you would see computerIP:5002 –-> siteIP:80

        When this goes through a nat that 5002 would be something different... See attached state table example from pfsense.
        So this device at 192.168.2.232:61080 is talking to outside public IP on 443 (https) its source port is the 61080, when pfsense natted that to the public IP the source port of pfsense connection from the public IP 24.13.x.x got changed to 36413..

        Your going to have to give some more details of what your issue is.. Because how stated makes zero sense sorry.

        connectionthrunapt.png
        connectionthrunapt.png_thumb

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • S
          spm002
          last edited by

          Hi there, hopefully I could clear this up a little bit.
          The way my service is set up is I have pfsense behind a network firewall from my hosting Provider, which only allows 10 custom firewall rules once the network firewall is activated.

          The service I am currently running through Pfsense uses random ports, lets say port 1000-2000 so when it goes through the WAN of lets say 92.60.118.xxx it would come out of the Random ports of that WAN. Which is blocked, (as only 10 custom rules can be passed)
          which is why I wanted to have a specific port that all of the internal traffic on port ranges 1000-2000 per say would all go through the WAN on one specific port - As my hosting provider do not allow port ranges on the network firewall, so it all gets blocked on exit anyways. Which is why I have to forward all traffic on those port ranges from pfsense traffic so it can come out of 1 port on the WAN side. That way all my traffic from those ports can come out of a specific port, and I can allow that one port on my network firewall side, since all the outgoing traffic will be forwarded to it.

          Hopefully this clears things up a bit.
          Apologies about the confusion.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            So your saying your hosting provider only allows 10 sessions?  What kind of crappy provider would that be???  That would be utterly moronic - nobody in their right mind would agree to such a thing..  Or be willing topay for such a system.

            I think you are confusing what they allow INBOUND…  To you..  And what you create outbound to the internet.

            internet -- provider firewall ---- pfsense --- behind pfsense

            So while they might limit to to 10 inbound ports to be forwarded to pfsense.  That they would limit the number of sessions (ie ports) that pfsense could create outbound to the internet would be asinine!!

            So when inbound traffic from the internet hits their firewall to say port 443.. You have no idea what the source port could be.. That they would restrict what those could be would make inbound traffic to you almost impossible.  Since you have no idea what the source port would be inbound to you from internet other than something 1024 or higher to the 65535 limit..

            So when something behind pfsense wants to go to say www.pfsense.org on 80.. it would be from a source port behindPFsIP:Port ----> www.pfsense.org:80, pfsense natting (napt - network address port translation) would change the source port to something else as in my example.  Now its quite possible they could change that again as the traffic leaves their firewall to the internet (if they are natting)..  But that they would limit your outbound from pfsense to the internet to 10 ports that you have to specify would just be an utterly useless system.  Since you would never be able to have more than sessions.  And you can not really control what port say a browser would use to make the connection..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            1 Reply Last reply Reply Quote 0
            • S
              spm002
              last edited by

              Hi there. So you say the best thing In order to complete this task would be for setting up the NAT in order to forward the Ports. So Im guessing it would not be a pfsense firewall rule, But a NAT rule in the Outbound  tab to route the traffic towards the specific port using NAT? Ill try that now and see if any luck.
              Thanks.

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                Dude your NOT going to change the SOURCE ports of traffic to the same thing.. It DOESN"T WORK THAT WAY!!!

                You are completely misunderstanding what they are doing with their 10 port, or your explaining it WRONG!!

                If you have some application that randomly listens on some port between 1000 and 2000?  And the firewall in front of you will only forward 10 ports then your screwed.. Never going to work..

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.