port forwarding fails when OpenVPN enabled on destination PC

  • Hello.

    I've configured my home cable modem in bridged mode.
    using pfsense as my firewall/router/NAT...etc.
    I added a NAT rule using the instructions in the pfsense guides to route zoneminder traffic via port 9091 on my WAN side to a 192.168.x.y PC on the LAN side...basically, so I could view remote camera feeds.
    All works very well until I start OpenVPN clien on the Ubuntu 18.04 PC that is also running the zoneminder server.
    I see the traffic coming into the box via pfsensed NAT'd traffic, but I don't see it being sent back out. Nor do I see it being sent out the tun0 device that is configured by OpenVPN.
    I think the issue is a local routing issue on the Ubuntu PC, which now has has a default route out the OpenVPN tun0 interface which has no knowledge of the previously NAT'd ingress connection.

    I can move the vpn connection to pfsense but I'd rather not due to latency/throughput issue(s).
    I can move the zoneminder app, and any other NAT'd connections, to another PC I guess but that's less elegant.

    Any other suggestions or thoughts?

  • LAYER 8 Netgate

    The OpenVPN server your ubuntu is connecting to is probably sending a default route def1 to the client so reply traffic to the connection attempts is going out the client's VPN connection.

    If so it's not a pfSense problem that can be fixed there, it's an OpenVPN client connection and routing table problem on the ubuntu machine. You could probably use outbound NAT on the inside interface to make connections to the zoneminder server appear to that machine to be coming from the pfSense interface address. Replies would then be same-subnet so the route back would work.

    Look at the routing table on the ubuntu machine when the VPN is connected and when it isn't. I believe netstat -rn should work there.

Log in to reply