Pfsense Firewall Rules and VPN connection

jjosuemp07

Hello everyone,

If anyone can help me out setting up would be great.

I have two VPN servers running on my network; one is a stand-alone VPN service running on VM this stand-alone server, I have no problems connecting from the outside. I mentioned this to convey to you guys that I can get a NAT port forwarding to work.

My problem is my VPN cluster connection I can't get it to connect through the firewall. it gives me no problems when connecting to it via different subnets in the local network the issue only happens when trying to connect from outside the internet.

Here are the details

the Cluster has 4 member nodes and a master node.
vpnmasternode: 192.168.1.10:1234
vpnnode1: 192.168.1.11:1234
vpnnode2: 192.168.1.12:1234
vpnnode3: 192.168.1.13:1234
vpnnode4: 192.168.1.14:1234

so at the firewall, the cluster NAT forwarding points to 192.168.1.10 port 1234
using this configuration, I can get an initial connection to the master node, but when the master assigns the workload to one of the nodes, the firewall does not allow the connection to that node to be established; my guess is that the firewall is waiting for a replay from 192.168.1.10 the master node and not the worker node and sees the replay from the worker node as an attack and blocks it.

how can I fix these issues?

viragomann

@jjosuemp07
Yes. pfSense is a stateful firewall.
When a SYN packet to 192.168.1.10:1234 comes in a state is added to its state table. This allows 192.168.1.10:1234 to respond, but no others.

If this is the case you should see blocks from the other nodes from port 1234 on the internal interface with SYN ACK flag.
You can allow this then with a sloppy state rule.

jjosuemp07

@viragomann
that did work, anything else I can try?