Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    General questions

    Scheduled Pinned Locked Moved General pfSense Questions
    15 Posts 4 Posters 1.5k Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      deanfourie
      last edited by

      So first q, where can I find all active NAT translations or Port Translations like a NAT table?

      And lastly, I have pfSense connected as a OVPN client to OVPN, but when binding OVPN to a new interface under interface / assignments, I cannot reach any clients on the VPN anymore.

      I dont think this is firewall related, as without the interface binding, there is a default binding created under the firewall rules section called "OpenVPN" where I can define firewall rules. Ive set it to allow all TCP and this works fine, however when creating the interface binding, all VPN connectivity just stops completely.

      Any ideas?

      Thanks

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG Online
        Gertjan @deanfourie
        last edited by

        @deanfourie said in General questions:

        So first q, where can I find all active NAT translations or Port Translations like a NAT table?

        Here :

        91e3ec3b-ee24-416d-b9ea-c04dacff756f-image.png

        @deanfourie said in General questions:

        And lastly, I have pfSense connected as a OVPN client to OVPN, but when binding OVPN to a new interface under interface / assignments, I cannot reach any clients on the VPN anymore.

        Explain 'reach'.
        Your pfSense is an OpenVPN client, so your pfSense connects to an off site OpenVPN server.
        It could be the admin of that OpenVPN server that admittedly forbids inter client communication.

        new interface under interface / assignments,

        using what rules ?

        @deanfourie said in General questions:

        there is a default binding created under the firewall rules section called "OpenVPN"

        The OpenVPN client doesn't create any rules. hat is created under "rules" ? What interface ? What rule ?

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        D 2 Replies Last reply Reply Quote 0
        • D Offline
          deanfourie @Gertjan
          last edited by

          @gertjan It is a cloud connection, with a cloud "connector" usually I can ping this connector and use it as a DNS server.

          Without the OVPN interface, the client connects to OVPN cloud connector and I am able to use it as a DNS server, reach other clients connected to the same connector and they can reach my pfsense LAN after I created a firewall rule to allow all TCP inbound on the openvpn cloud interface (this is one that is created by default, not created in the assignments).

          But when I try to create a OVPN interface in Interfaces / Assignments, everything stops in terms of VPN traffic. Cannot reach out and nothing can reach in.

          Then after creating this Interface for OVPN, I go to firewall rules and now I see two OepnVPN interfaces, one is the default one that is created when the connection is established and one is the interface I created in assignments.

          You follow my flow haha

          1 Reply Last reply Reply Quote 0
          • D Offline
            deanfourie
            last edited by

            Here is a shot of my setup without the interface setupovpn1.PNG

            GertjanG 1 Reply Last reply Reply Quote 0
            • D Offline
              deanfourie @Gertjan
              last edited by

              @gertjan said in General questions:

              @deanfourie said in General questions:

              So first q, where can I find all active NAT translations or Port Translations like a NAT table?
              

              Here :

              91e3ec3b-ee24-416d-b9ea-c04dacff756f-image.png

              @deanfourie said in General questions:

              And lastly, I have pfSense connected as a OVPN client to OVPN, but when binding OVPN to a new interface under interface / assignments, I cannot reach any clients on the VPN anymore.

              Explain 'reach'.
              Your pfSense is an OpenVPN client, so your pfSense connects to an off site OpenVPN server.
              It could be the admin of that OpenVPN server that admittedly forbids inter client communication.

              new interface under interface / assignments,

              using what rules ?

              @deanfourie said in General questions:

              there is a default binding created under the firewall rules section called "OpenVPN"

              The OpenVPN client doesn't create any rules. hat is created under "rules" ? What interface ? What rule ?

              I dont see any translation table here. I can only see where to configure NAT here but cannot see any active mappings?

              nat1.PNG

              nat2.PNG

              1 Reply Last reply Reply Quote 0
              • GertjanG Online
                Gertjan @deanfourie
                last edited by

                @deanfourie said in General questions:

                Here is a shot of my setup without the interface setupovpn1.PNG

                Your image is not what you said :

                @deanfourie said in General questions:

                I created a firewall rule to allow all TCP

                Your firewall rule accepts all protocols. There is more (way more) as just "TCP".
                Just TCP would be very problematic.

                As your rule shows, it is used :
                192ac49c-38ae-45f4-9301-3d8608da29b4-image.png

                so all incoming traffic passes by this rules, and as everything matches, it is not that rule that has an issue.

                Check your DNS server - the one in the cloud.
                Is it aware of your local clients ? How does it know about the local devices and Ip addresses ?
                When you connect to this cloud thing, from there, can you 'ping a device on your LAN ? Resolve a device that is on your LAN(s) ?

                @deanfourie said in General questions:

                I dont see any translation table here

                Means you have no NAT rules.

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                D 1 Reply Last reply Reply Quote 0
                • D Offline
                  deanfourie @Gertjan
                  last edited by

                  @gertjan Yea sorry, my bad not just TCP but all traffic.

                  So, my problem is only when I create a interface binding that everything goes downhill. If I leave it with the default interface binding then everything is fine but I am limited as I cant see the default interface in all functions, that why I want to create a new binding.

                  So, now I go to interface / assignments and assign ovpnc1 to a new interface, lets say OVPNTEST save it, and enable the interface. Everything grinds to a halt. I dont really even know where to start problem solving on this one as its not firewall related I dont think.

                  Also, regarding NAT, I have 20 odd interface LAN clients connecting to the internet, there has to be NAT entries. Maybe I should say something more like PAT entries for the port translations.

                  johnpozJ 1 Reply Last reply Reply Quote 0
                  • johnpozJ Offline
                    johnpoz LAYER 8 Global Moderator @deanfourie
                    last edited by johnpoz

                    @deanfourie said in General questions:

                    Maybe I should say something more like PAT entries for the port translations.

                    They are in in the state table.

                    states.jpg

                    You can see where my client 192.168.7.99 talking to 54.87.189.215:2350 was natted, or correctly NAPT (Network Address Port Translation).. it was changed to my public IP using different source port 27449 vs the original 59297.

                    When you created the new interface did you put rule on it? this opvntest

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    D 1 Reply Last reply Reply Quote 0
                    • stephenw10S Online
                      stephenw10 Netgate Administrator
                      last edited by

                      Yup that. There is no separate table for translation states they are created by pf as part of the state table.

                      When you assign or unassign an OpenVPN interface you must restart the OpenVPN service. No traffic will flow until you do.

                      Steve

                      1 Reply Last reply Reply Quote 0
                      • D Offline
                        deanfourie @johnpoz
                        last edited by deanfourie

                        @johnpoz I can't see this anywhere? Where is this table located in pfSense?

                        I have checked everywhere under NAT and I have no such entries. Why could this be?

                        That's what I'm looking for

                        Cheers

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S Online
                          stephenw10 Netgate Administrator
                          last edited by

                          The state table is in Diag > States.

                          D 1 Reply Last reply Reply Quote 0
                          • D Offline
                            deanfourie @stephenw10
                            last edited by

                            @stephenw10 ahhh thank you! I have found it now. That's what I'm looking for.

                            Will try the ovpn interface again and restart the service when I am home.

                            Thanks for the help guys!

                            1 Reply Last reply Reply Quote 1
                            • D Offline
                              deanfourie
                              last edited by

                              Quick question is there anyway to add that (diag >> states) to the pfSense Dashboard?

                              Thanks

                              1 Reply Last reply Reply Quote 0
                              • stephenw10S Online
                                stephenw10 Netgate Administrator
                                last edited by

                                There is no states widget, no. Many systems have millions of states at any one time which would be difficult to accommodate.

                                D 1 Reply Last reply Reply Quote 0
                                • D Offline
                                  deanfourie @stephenw10
                                  last edited by

                                  @stephenw10 very true. Thank you anyway

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.