Port Forward through OpenVPN



  • Hi guys, I've a problem with port forard on pfsense.
    See my network in attached scheme.

    I have 2 LAN, Home (192.168.10.x) and Museum (192.168.11.x);

    In Home LAN I have pfsense box configured as OpenVPN Server (works perfectly);

    In Museum LAN there is a server that connect via OpenVPN (client) to Home LAN through net 10.10.0.x/24(works perfectly), i can connect via ssh and all services from Home LAN to Museum LAN Server (Static OpenVPN IP 10.10.0.204), and reverse situation works great.

    Now I need to forward 1 service from Museum LAN server to Internet on port 24356 TCP, so I've setup a port forward and relative firewall rule in my Home LAN pfsense to forward all traffic inbound from port 24356 to same port at ip 10.10.0.204 (Museum LAN Server OpenVPN IP).

    But not work.

    I've flag the option "Force all client generated traffic through the tunnel" in client specific overrides, and check with traceroute: full working, packets originated from Museum LAN Server go though VPN tunnel, to Home LAN Gateway and on Inernet without problems.

    I can't understand why the port forward rule don't work like other rules for Home LAN services.

    Suggestions?

    Thanks

    ![MCS - Page 1.png](/public/imported_attachments/1/MCS - Page 1.png)
    ![MCS - Page 1.png_thumb](/public/imported_attachments/1/MCS - Page 1.png_thumb)



  • Have you already set an outbound NAT rule on the home firewall for packet coming from the server?



  • No, because Museum Server reach Internet through VPN without problems.

    Now I tryed with outbound nat rule:

    interface: oVPN
    protocol: TCP
    source: 10.10.0.0/24 24356 (oVPN Net)
    destination: Any 24356

    Translation
    Address: interface address
    port range: static port flagged

    But doesn't work


  • LAYER 8 Netgate

    You shouldn't need a port forward since there is no NAT.

    Just tell the Museum host to connect to 10.10.0.204:24356



  • OK Solved!

    I've flag the option "Force all client generated traffic through the tunnel" in client specific overrides, this time worked perfectly!

    Thanks to all!!


Log in to reply