Port forwarding/NAT from VPN to local server

Hostilian

Hey all

Wondered if anyone could shed some light on this please!

I've a PFSense 2.5.2 box configured with an OpenVPN connection to PrivateInternetAccess.
Works fine.

I am trying to configure a NAT/Port forward rule to force incoming traffic (that comes in through the PIA tunnel), that hit a particular port (or port range) to be forwarded to a particular Server on the LAN.

I've tested that the port is open on the server itself (from another server on the LAN). Works fine. Port is open.
Also tested that the port is open from the WAN interface (by adding a temporary NAT/Port Forward rule from the WAN interface to the same host on the LAN). Again. This works fine. Port is open.

Problem is when I try to test the port via the Virtual IP of the PIA interface (tested that it's showing as correct using the what is my IP address on the browser. Also tallies with external vIP shown on the Interface). Port says it's not open.
I use [https://www.yougetsignal.com/tools/open-ports](link url) to test (as I did for the WAN interface).

I've read that there might have been a bug in 2.5.1 that looks similar - ish. But I cant get this to work. Any thoughts please? Port is reported as closed via the PIA VPN..

Hope that makes sense!

viragomann

@hostilian
So I assume the PIA VPN is not the default route on your pfSense.

Have you already assigned an interface to the PIA VPN instance?

Are you running multiple OpenVPN services?

Hostilian

Hi viragomann

WAN is the default gateway for clients - with the exception of the single host (previously mentioned) that is forced out the PIA_VPN gateway.
Or rather it should be. Default gateway IPv4 is set to Automatic.

Interface has already been assigned for PIA_VPN and that's where the firewall rule was auto created (for the corresponding port forwarding NAT rule). As mentioned, PIA_VPN works fine and I've a rule to stop leakage (which also works fine - when I stop the OpenVPN client, the Host can't get onto the internet).

Just the one OpenVPN tunnel and single interface (though there's another - what looks to be a 'dummy' OpenVPN ruleset - that can't be assigned an interface).

viragomann

@hostilian
Remove all pass rules from the OpenVPN tab.
Then it should work.

Hostilian

@viragomann
In the Firewall openVPN Tab? There is nothing in there. Haven't touched it as assumed it wasn't used.

The (autocreated) PIA_VPN rule sits in the PIA_VPN firewall tab..

viragomann

@hostilian said in Port forwarding/NAT from VPN to local server:

In the Firewall openVPN Tab?

Yes.

The (autocreated) PIA_VPN rule sits in the PIA_VPN firewall tab..

Can you get sure that this rule is applied to the incoming traffic?
Enable logging in the rule and check the firewall log to verify.

Are you sure there is any packets coming in on the PIA interface?
Check with packet capture.

Hostilian

@viragomann
Yeah, that's what I couldn't see. Had enabled logging earlier, but couldn't see anything relevant.

The FW rule..
Interface points to the PIA_VPN interface.
Source = Any
Destination = set to the PIA_VPN interface (with port as per my LAN Host).
Gateway is set to default.

The NAT/Port Forward rule.
Have tried destination as PIA_VPN and WAN address options (interface set to PIA_VPN Interface).

I'll enable it again and have another look - and pick it up tomorrow..

Thanks again

Hostilian

I mean, I wouldn't have to look into this if my PIA connection was faster. It's topping out at about 1-3MB/sec down (and is actually reporting faster UP over the VPN).
I might leave the port forwarding 'issue' and try to find out why the VPN is so damn slow. It's much faster if I use the client, installed in Windows, but OpenVPN over PFSense is dead slow.

I have a almost 400Mb/s line.

Bob.Dig

Most VPNs don't allow open ports... So you have configured the open port with them in the first place?

Hostilian

@bob-dig said in Port forwarding/NAT from VPN to local server:

with them in the first place?

Ahhh. OK. Thanks.
Yes, some servers allow it. One of them happened to be one I used, but switched from, due to speed issues. These speed issues are everywhere though - so I may switch back to the Windows client and Wireguard. Pretty crap, but it's that slow (to PIA) I have just about written OpenVPN off..
OpenVPN (using PFSense) is about 1.5MB/s. Using PIA Client in Windows - Wireguard - is easily over 10MB/s.

Thanks for your time and information guys. Appreciated!