OpenVPN Static Ip, Routing Problem, NAT

Hi, i have the following problem.

I'm running a mail server behind Pfsense as a hobby and to expand my knowledge.
I connected my firewall as a client to an OpenVPN. This gives me a fixed ip address for my mail server.

Unfortunately not only the mail traffic but all outgoing traffic from the firewall is sent via the VPN.
But if I go in the VPN connection settings and check: Don't Pull Routes, all outgoing traffic runs normally again via the WAN interface.

Unfortunately, I then do not get the outbound NAT and the firewall rules to send the outgoing mailserver traffic via the OpenVPN.

If I then uncheck: Dont pull Routes
All outgoing traffic runs again via the VPN.

I think this Problem might be solvable but i need help to create the right outbound and firewall rules.

I hope my Text is understandable.

Thanks in Advance. If you need Screenshots or any further Information i am happily going to supply them as good as i can.

viragomann

Of course you have to tell pfSense which traffic it should route over the VPN. This is done by policy routing rules.

To add such a rule you have to assign an interface to the OpenVPN client first, if you didn't already.
Then add a firewall rule or edit the existing one which is allowing upstream traffic from the mail server, expand the advanced options and select the OpenVPN gateway.
"Don't pull routes" has to be checked in the client VPN settings.
Now only traffic from the mail server is routed out over the VPN.

I already assigned the OpenVPN to an interface and also to a Gateway.
I tried a lot of different Firewall/NAT Settings but i cant get them to work so that my outgoing traffic is routed threw the VPN.

I made some screenshots for you.

Maybe you can find the mistake.
(I will change the floating firewall rule to a normal firewall rule later if i manage to get this working.)

alt text

viragomann

In the firewall rule the source port has to be "any" and the destination port must be "SMTP".

I changed the firewall rule as you said, but it still doesnt work.

Derelict

@schamschi

"Don't pull routes" has to be checked in the client VPN settings.

Hello Derelict, if i check the box my port forwarding to my server isnt working anymore somehow, so i am not able to check if this helps.

My Port Forwards will work if i check the box below: Don't add or remove routes automatically

But also with this checked i got no success in my outbound/firewall problem.

Derelict

If you are port forwarding into a server over OpenVPN you have to:

Assign an interface
Make sure the rules on the OpenVPN tab DO NOT match the incoming traffic. They must match on the assigned interface tab to get the benefit of pf's reply-to.

Since your OpenVPN should probably be treated as a WAN, I would delete all of the rules on the OpenVPN tab and only add rules on the assigned interface tab that pass the proper mail ports to the proper server. Passing any there is bad news.

@Derelict The Interface is assigned and also the Rules are in the Assigned Interface Tab and they work as long as i pull the vpn routes.

It seems to be and problem dedicated to the routes of my firewall.

Sadly i dont know further.

Maybe someone can look directly into it, if this isnt to timetaking.

Derelict

Is it also matching on the OpenVPN tab? If it matches on the OpenVPN tab the assigned interface tab will never be looked at and you will not get reply-to.

On the OpenVPN Tab there are no rules only on the assigned interface tab.

Derelict

Then it should be working. Packet capture and see what's going on. Look at states and see what's going on.

@Derelict
It seems they are talking when i try to send a mail.

Paket Capture:
00:41:11.073926 IP MAIL.localdomain.56830 > mx01.emig.gmx.net.smtp: tcp 0
00:41:11.074317 IP mx01.emig.gmx.net.smtp > MAIL.localdomain.56830: tcp 0
00:41:11.074527 IP MAIL.localdomain.34318 > mx00.emig.gmx.net.smtp: tcp 0
00:41:11.074865 IP mx00.emig.gmx.net.smtp > MAIL.localdomain.34318: tcp 0

States:
LAN tcp 192.168.1.105:56812 -> 212.227.17.5:25 TIME_WAIT:TIME_WAIT 1 / 1 60 B / 40 B
WAN tcp 192.168.188.22:8701 (192.168.1.105:56812) -> 212.227.17.5:25 TIME_WAIT:TIME_WAIT 1 / 1 60 B / 40 B

192.168.1.105 (Mail)
192.168.188.22 (Pfsense)

@Derelict i tried to set my default gateway at the routing tab to my vpn gateway and then the traffic seems to get routed threw the OpenVPN Tunnel.
Dont know if that helps.

Derelict

Are you talking about outbound connections or inbound? What, specifically is not working.

Outbound.

@Derelict I think i got it to work. After i set the default gateway manually to the VPN and not automatic and saw that it worked,
i transfered the Flowing Rule i made for the outbound traffic to the Lan interface.
With the new knowledge of your help and the help of viragomann i changed some tiny things in the firewall rule.
After that i changed the default gateway back to automatic and know the outbound traffic takes the vpn and everything works.
I even rebootet the firewall to get lost of the states but everything still functions as it seems.

Thank you so very much for your dedication and your help.