Cisco AnyConnect blocks port forwarding from tunnel to LAN over pfsense
-
Hello,
I have a pfsense as home router.
I work on a first PC #1 connected to some VPN with Cisco Anyconnect and I have enabled the "Allow LAN access" option. LAN is 192.168.1.0/24
The second, remote PC #2 is connected via OpenVPN to my pfsense router and is assigned a tunnel IP on 10.0.8.0/24
I have successfully forwarded some TCP and UDP ports from PC #1 over pfsense to PC#2. (Could not do otherwise as AnyConnect on PC#1 blocks access to tunnel network where PC#2 is).
However, I have trouble routing an UDP Port in other direction - from PC#2 over pfsense to PC#1. I did everything according to the manual, enabled NAT reflection (https://docs.netgate.com/pfsense/en/latest/nat/accessing-port-forwards-from-local-networks.html) etc.
The states debugging shows everything correctly, the forwarding works and I can receive data on PC #1 BUT ONLY UNTIL I connect to the Cisco AnyConnect VPN. As soon as I connect the Cisco Anyconnect, I am unable to receive anything.
Interestingly, I can circumvent this apparent Cisco AnyConnect blockade if I forward UDP traffic from pfsense to some third PC on LAN and forward it from there back again to PC#1.
How does Cisco AnyConnect on PC#1 know that I am routing this traffic and that the original source is not on LAN? Why does additional routing over auxillary LAN PC work? Will it help if I change the IP of pfsense router to something else as 192.168.1.1?
This is the States diagnostics screenshot from pfsense. It is the same with or without Cisco VPN connection:
🔒 Log in to view -
Still no answers?
Is it possible to set up a Virtual IP on LAN, which would replace the "third PC" in OP and forward ports from pfsense -> Virtual IP -> destination 192.168.1.10 ?
I tried this with "IP Alias" and "CARP Virtual IP" but port forwarding does not work.