Port Forwarding through VPN

cneu88

Hello Everybody,

After multiple hours of try and error, I am hoping to get some help here.
I am trying to set up a simple Port Forwarding from one pfSense Router to another through their VPN connection. Some more detail on the current network:

pfSense A (192.168.2.0/24)
| 192.168.3.1
|
|
OpenVPN (192.168.3.0/24)
|
|
| 192.168.3.2
pfSense B (192.168.4.0/24)

The VPN connection is working correctly and the traffic seems to be routed correctly as far as I can tell.
I have added a Port Forwarding rule on pfSense A to forward port 80 to an IP address on the LAN network of pfSense B (e.g. 192.168.4.3) but that is not working. Port Forwarding to the LAN network of pfSense A (e.g. 192.168.2.3) is working normal.
Is there any rule I need to configure on the firewall of pfSense B?
Should I port forward to the OpenVPN interface of pfSense B and the forward again to the LAN address?

Thank you all in advance for any help on this topic!
BR Chris

Gertjan

Hi,

What you want is a accessing a web server on the LAN of pfSeense B ?
That means that you have to port forward port 80 on pfSense A and pfSense B.

When access - connected to - the VPN server on pfSense, the NAT rule (port forward rule) on pfSene isn't used any more. The same NAT rule on pfSense is still needed.

cneu88

Thanks for the reply @Gertjan. Yes, I want to access the web server on the LAN network of pfSense B.
I created the port forwarding rule on pfSense A (forwarding port 80 to 192.168.4.3 from WAN interface). After your post I created the forwarding rule on pfSense B as well (forwarding port 80 to 192.168.4.3 from WAN interface). This does not resolve the issue yet. Do I have to forward the port from pfSense B from the WAN interface as well or from the OpenVPN interface?

Thanks for your suggestion!

Gertjan

@cneu88 said in Port Forwarding through VPN:

pfSense B from the WAN interface as well or from the OpenVPN interface?

The 'from' part should be 'any' (which includes the upstream WAN interface, and the OpenVPN interface etc).
Show your NAT rule .

cneu88

The source definition on both rules is any. I attached the pictures of the rules below.

NAT rule on pfSense A

NAT rule on pfSense B

Gertjan

Both rules have "192.168.4..3" as destination ???
That's a no go.
The NAT rule on pfSense A should use a Destination IP that is the WAN IP used by pfSense B.

Not related, but the NAT rule on pfSense A should or could be TCP only.

cneu88

@Gertjan said in Port Forwarding through VPN:

The NAT rule on pfSense A should use a Destination IP that is the WAN IP used by pfSense B.

Yes, I have already tried that as well. I used the OpenVPN tunnel Address of pfSense B which is 192.168.3.2. That did not work as well.

Gertjan

To test NAT rules, you could use the check list present in the pfSense manual.

Use Diagnostics > Packet Capture to check if
Traffic arrives at the WAN interface, port 80, TCP, of pfSense A.
This validates the NAT rule on pfSense A.
Traffic arrives at the WAN interface, port 80, TCP, of pfSense B.
This validates the NAT rule on pfSense B.

Dono what VPN has to do with all this.
When I VPN into my pfSEnse, I can access all LAN devices. If one of them is a router, with a downstream LAN network, then I have to place a NAT rule on this second pfSense, to access this device on his LAN.

cneu88

I validated both rules on both pfSense boxes.

Both rules work and I can see the traffic via the packet capture. I am pretty sure something is wrong with the firewall rules I have set up on the pfSense boxes. I attached some pictures of their config below, maybe there is something wrong.
The interface 'ZONE0' is the assigned interfaced from the OpenVPN tunnel between both routers.

pfSense A NAT rules:

pfSense A Firewall Rules for ZONE0:

pfSense A firewall Rules for OpenVPN: (those rules were created by the OpenVPN creation wizard)

pfSense B NAT rules:

pfSense B Firewall Rules for ZONE0:

pfSense B firewall Rules for OpenVPN:

Gertjan

@cneu88 said in Port Forwarding through VPN:

pfSense B firewall Rules for OpenVPN: (those rules were created by the OpenVPN creation wizard)

and pfSense A should have to same Wizard created rules on the it's interface.
You have none , Then no VPN server is possible.

@cneu88 said in Port Forwarding through VPN:

Both rules work and I can see the traffic via the packet capture

You want to reach this "LAN B" based server from the Internet.
If packets reach the "LAN B" then ther is only one possible barrier left : a firewall rule on the web server running on LAN B ? Does the server on LAN B accept connection out of LAN B ?

Still don't know what VPN has to do with this.

Make your NAT rules work, it's just a classic router after router setup. So you need NAT rue on every router.