Port forwarding problem (at my wits end)
-
Really don't know what to try next to open a (please read any) port while I am within VPN. I have OpenVPN client installed and connected to a VPN provider which is capable of port forward.
- VPN Provider: Forward port 9999 of VPN provider to 9999 to my pfSense VPN_WAN address. This is done and working. My VPN_WAN address is 10.26.2.17 (local to VPN provider)
- Then from 9999 of my VPN_WAN address (10.26.2.17) to 9999 of 192.168.2.10 on LAN.
Just for troubleshooting:
- VPN installed on PC --> WAN of pfSense: Port is open (with VPN provider port forward+ pfSense port forward)
- PC (withouth any local VPN) --> WAN of pfSense: Port is open (with pfSense port forward)
- PC (withouth any local VPN) --> VPN_WAN of pfSense: Port is NOT open
This implies that I have a problem with my pfSense config, but I don't know what.
Please find below screenshots:
Port forward table: https://i.imgur.com/mzFYLPI.png
Outbound NAT: https://i.imgur.com/9FkxrV8.png
LAN rules: https://i.imgur.com/HQRB9MX.png
VPN_WAN rules: https://i.imgur.com/xNNpxHX.pngI would be grateful for any hint.
Thank you. -
@sse450
Is there any rule on the OpenVPN tab?
If yes and you have not other OpenVPN instance running, remove it. -
@viragomann Bingo!
Dear friend, I cannot say how grateful I am after weeks of messing with the pfSense config.I have OpenVPN server running to connect home network from outside. As soon as I disabled it, port forward worked. Big relief for me. I really don't know why it happens.
My next question if you don't mind. How can I get OpenVPN server to work while VPN client on pfSense is connected to VPN provider?
Here is the screenshot of my OpenVPN tab:
https://i.imgur.com/CW92VUI.pngThank you a lot.
-
@sse450
The OpenVPN tab is in tact an interface group including any OpenVPN instance running on pfSense, clients and servers. Rules on interface groups have priority over rules on interface tabs.
But the incoming traffic must not be matched by a if group rule.Two ways to set a rule for the OpenVPN server:
- Simply enter the OpenVPN server tunnel network at source. So the rule is applied only to the vpn client subnet.
"Any" as source is a no-go anyway when you have an active client. This rule would allow any traffic coming in from your OpenVPN provider. - Other way and quite more save is to assign an interface to the OpenVPN server as well and move the rule to that interface.
- Simply enter the OpenVPN server tunnel network at source. So the rule is applied only to the vpn client subnet.
-
I followed second way in your message. It worked.
This showed me that I haven't learned pfSense sufficient enough to find my ways around.
You are a godsend.
Best regards
-
Dear @viragomann , I am in need of a bit help again.
As per your advice, port forward from VPN provider worked after I moved the rule created by OpenVPN server wizard on OpenVPN interface to another interface (VPN_SERVER).
Now, I cannot run OpenVPN server on the new VPN_SERVER interface.
Please find below images from my setup:
WAN: https://i.imgur.com/580V8zS.png
LAN: https://i.imgur.com/MJ8Hbw9.png
AIRVPN_WAN: https://i.imgur.com/MJ8Hbw9.png
VPN_SERVER: https://i.imgur.com/uLAoNvA.png
OpenVPN: https://i.imgur.com/jrJcmjC.png
Outbound NAT: https://i.imgur.com/3BRv8ZJ.png
Interfaces: https://i.imgur.com/Mn0dzjw.png
And here is the OpenVPN client log: https://pastebin.com/ykdR5Vm6It seems the client cannot connect to start communication with the server.
What is wrong with my setup? I would appreciate any help.
Thank you. -
@sse450
So the client cannot connect to the server from what I can see here. However, the provided screenshots are not very helpful to investigate this issue.Your client log is puzzling me. Seems you have multiple remote lines for different servers / IPs, but since you've replaced all remote IPs with the same string, I have to assume, it is connecting to the same IP on each attempt.
Is the server running? What does Status > OpenVPN show?
Is the server listening on WAN address?
Can you see something in the server log mentioned the connection attempts?