Port forwarding with pfsense as openvpn client



  • Hi,

    I have the following setup: pfsense 2.4.4-RELEASE-p3 as an OpenVPN client (ExpressVPN), all traffic outside OPT1 (the ExpressVPN interface) is blocked, except from traffic coming from 127.0.0.1; this setup works great and prevents traffic leak.

    The problem I'm facing is that I fail to open and forward ports on OPT1. I am forwarding a port on OPT1 to a LAN address, with the corresponding firewall rule automatically created. The LAN machine has no active firewall. Yet, the port forwarding is not working and remote online port scanners report the port as closed.

    Does anybody know what is the correct way to forward a port in this scenario?

    Thank you,
    Danny



  • Port forward troubleshooting on pfSense (YouTube)

    https://docs.netgate.com/pfsense/en/latest/nat/port-forward-troubleshooting.html

    Post a screenshot of your NAT rule so we can see what you've done, and a description of exactly what you're trying to accomplish.



  • The network looks as follows: a pfsense pc connected directly to the ISP on one NIC and to the LAN on the other. In the LAN there is a Windows 10 machine (windows firewall turned off for the tests) running several apps requiring NAT. All outbound traffic from the LAN is routed through a permanent OpenVPN connection established from pfsense.

    What I need is to be able to forward the inbound ports for the local apps on the Windows 10 machine. All of them need to be able to accept connections from the outside over the OpenVPN connection (on the VPN's outbound IP). Prior to setting up the VPN all but the monerod apps used successfully port forwarding over the WAN interface.

    Danny



  • I'm not sure it's going to work at all. How does your VPN provider know that when some Joe Rando from the Internet hits their endpoint asking for port 18080 that it should forward that traffic to you? A VPN is basically a double-NAT, so your provider would have to have a config in place to redirect that traffic specifically to you and not to any of their other connected clients.



  • What you are saying makes perfect sense. I don't know why I didn't figure this out earlier. Thank you very much for your help!


Log in to reply