Raspberry Pi and pfsense behind vpn, block everthing.

Djinn1 · Oct 2, 2017, 6:32 PM

Hi,

I try to explain my problem as good I can.

I have Pfsense installed in my home and all traffic goes thru the vpn.

I have a raspberry pi installed in my house that connected to same network. I have installed noip and have made a dns for it.

I don´t know how to connect to my raspberry pi from outside the house. The port used for the pi is 80 and I can´t connect to my dns because everything outside the house is blocked.

I want to open my port to the raspberry pi local IP ex 192.168.2.220 so I can motitor the pi outside the house.

I have struggled a lot to make this work and can´t find a solution.

I really appreciate for any help I can get.

johnpoz · Oct 2, 2017, 6:55 PM

This is a simple port forward.

https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense

Djinn1 · Oct 2, 2017, 7:19 PM

Hi,

I m not getting it to work.

My setup is like this.

I have WAN, LAN1, LAN2,LAN3, VPN

My raspberry is connected to LAN2.

Everything is traffic through VPN.

How would a setup look like in port forward?

johnpoz · Oct 2, 2017, 7:33 PM

you want to port forward through your vpn public IP? If so then you need your vpn to support port forwarding.

Doesn't matter if you have just lan or a 100 networks behind pfsense - port forwarding is the same. And literally takes all of 30 seconds to do.. If its not working then your doing something wrong. Or the traffic is not even getting to pfsense. I would suggest you show what you have done and walk through the troubleshooting doc to find your mistake.

https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

If you post up what you did, I would can take a look to see if I spot your mistake. Common mistakes are pfsense is behind a NAT and or traffic is blocked even to pfsense. Ie port 80 for example many an ISP block that inbound. There is firewall running on host your trying to forward too, or not even listening on the port your sending to, etc.

All of which is gone over in the doc.

Djinn1 · Oct 2, 2017, 7:55 PM

Hi,

Yes iam trying to port forward through vpn public ip because thats only IP that's public. Everything goes through that.

I have checked my vpn provider does not block any port.

I have added a pictures how the setup is in port forward.

The unifi net is where my raspberry is connected to

johnpoz · Oct 2, 2017, 8:40 PM

"because thats only IP that's public. Everything goes through that."

No not really.. Not unsolicited inbound traffic unless you have setup port forwarding at your vpn, and then most likely 80 not going to be allowed.

What vpn service are you using, and you setup port forwarding in your account with them?

Djinn1 · Oct 3, 2017, 3:09 AM

I mean its setup like that got some help before. My Vpn provider does not block port 80? I have Azirevpn

johnpoz · Oct 3, 2017, 10:16 AM

Where do they say this? Where is your setup that port 80 that is being hit at whatever public IP is your vpn exit point is being sent down the vpn tunnel to you?

https://www.azirevpn.com/support

I find it HIGHLY unlikely that any VPN would support inbound 80.. Just from the fact that they have multiple clients all using the same public IP.. So who would get 80? You do understand these such services the public IP is shared with other users of the vpn.. That really is the whole point of these things - to HIDE your ip, etc.

If you want to forward 80 inbound to your pi, I would suggest you just forward that on your normal wan ISP connected.. This is how it is normally done.. And takes all of 30 seconds to do..

Djinn1 · Oct 5, 2017, 6:37 PM

Hi,

Thx for all your help you where right. Its working know. My ISP had 2 different hostname one does block 80. Does that mean I have security risk if I do so?

Is this how it should look like for best option

johnpoz · Oct 5, 2017, 6:57 PM

Yes that would be how you would forward port 80 to something behind.

But to being best option, are you always going to access it from known locations? Or is this something for public consumption? If possible lock it down to source IP so only you can access it from where you need/want to access it from.

Better yet would be to vpn into your network to access it. Unless of course its going to be open for public - if open to the public, I would suggest you isolate the box from the rest of your network. So if it does get compromised it can not access anything else on your network.

Djinn1 · Oct 7, 2017, 1:17 AM

I want to access the raspberry from my phone and work computer from different locations but mostly office.

"I would suggest you isolate the box from the rest of your network. So if it does get compromised it can not access anything else on your network"

How?

johnpoz · Oct 7, 2017, 8:28 AM

Put it on its own vlan.. So if your wanting to access your network from your phone and work - why would you not just use a vpn? Why open up the pi to the public internet at all.

Djinn1 · Oct 9, 2017, 12:25 PM

Hi again,

Never done that. Should I use the vpn that I am paying for azirevpn or a personal vpn?

johnpoz · Oct 9, 2017, 12:28 PM

what? Just run vpn server on pfsense.. Takes all of 30 seconds to setup.

Djinn1 · Oct 13, 2017, 2:50 AM

ok, thx i will try that