problem routing with AWS marketplace version



  • I am trying to use pfsense as an openvpn server inside an aws vpc to give users remote access. I have the openvpn part working and can ssh into the server wan and lan addresses, but cannot hit any other instances. My problem seems to be that I cannot get traffic on the AWS side to route to the pfsense interface. looking at firewall logs and packet tracing I see packets go out from the server but no packets into the server.
    I have disabled source/dest check on both interfaces
    I am running without NAT
    I have edited the subnet route table and added 192.168.167.0/24 -> eni-xxxx , trying both the wan and lan interface.
    from another instance I can ping the WAN interface, but cannot ping the LAN interface (i'm not sure if this is normal or not)
    Any help would be appreciated, i'm really stuck here.



  • @The-Juggler said in problem routing with AWS marketplace version:

    r inside an aws vpc to give users remote access

    I take it you have set up the cloud/ vps firewall rules in the control console of aws ,and ports ? .With most instances unless the port is changed on pfsense for web access it will transfer the rules across to the wan firewall ruleset from the aws cloud firewall rules.

    I have set these up and you will need NAT rules on the WAN with a single interface or it wont work,and static route rules for aws instance to aws instance with aws fw rules to allow.

    Option 2:

    Be careful in doing this as rules for forwarding have to be setup and be specific in more than one area.
    Enable ssh forwarding on the server ( be explicit) and on the client ,setup your rules i.e in putty for which local port (127.0.0.1 port x ) then you can point your browser or application to a port on the local client (127.0.0.1 port x) it will be forwarded to the target within the ssh tunnel you have set in putty to the internal server port you have set in the ssh forwarding rule. These rules are not nat rules but ssh forwarding rules. NOTE - ssh forwarding is not setup as a default on any ssh installation including clients.

    HTH


Log in to reply