Replies blocked for port forward outside default route
-
Hi,
I have setup my pfsense to connect to an OpenVPN server which pushes default v4 and v6 routes, so all of my LAN's outbound traffic goes through the VPN. Traffic originating from pfsense itself also goes through the VPN.
I have assigned the VPN an interface, and setup Outbound NAT on it in hybrid mode. Everything works well there.I have also created a few port forwards from the VPN interface into my LAN, and am able to connect to these forwarded ports via the VPN server public IP.
I am now trying to expose some services that should be accessible directly on the firewall's WAN address, instead of through the VPN. I have thus created port forwards from the WAN to the LAN, but they don't work.
When I look at packet captures, I see that the inbound packets are received, passed to the correct address and port on the LAN, the LAN machine replies, but the reply doesn't make it back through the firewall to the WAN.
When I look at firewall logs, I see that the replies have been blocked (the port forwarded in this case in 2053. The hidden IP on the left is my WAN IP, and the one on the right is the client IP)
I have also tried disabling "reply-to"; in that case the replies are not blocked, but they are sent via the VPN interface. I assume they then get lost before reaching the client, or the client rejects them because they come from the wrong endpoint. In any case, this doesn't work (and even if it did it wouldn't be ideal for privacy)
Is the scenario I'm trying to implement supported, and if so how should I make it work?
Thanks