pfSense NAT rule to another pfSense

lcs

Setup:
Two boxes with VPN tunnel between them. All resources accessible.

VPS - 94.xx.xx.xx
Local - 46.xx.xx.xx

I have a mail server,currently accessible via open internet on port 25 on the pfsense.local (94.xx.xx.xx) and my idea is to close that tcp/25 and access the mail server via the VPS one (46.xx.xx.xx) via the VPN.
Basically to use the VPS as an entry point.

What I want to do :
Traffic flow in : Internet -> VPS/TCP25 -> pfSense.local/TCP25 -> MailServer(10.16.22.15)/TCP25
Traffic flow out : MailServer(10.16.22.15)/TCP25 -> pfSense.local/TCP25 -> VPS -> Internet

I have the second part working. On the rule for the mail server I've defined a gateway and when testing with
curl ifconfig.me I can see the traffic is going out from the VPS and I'm getting the corresponding addres (46.xx.xx)
For some reason, I cannot work out the first part.
I tried with the following Port Forward NAT rule: check the attached file

Using that rule, when testing the port from public internet, I can see the traffic going to the VPS pfSense, then reaching the mail server via the pfSense local, but the result of the port test fails.
On the packet capture I can see only tcp 0 reaching the mail server.
I also tried using Outbound NAT on the pfSense.local with the idea of forwarding all traffic to the VPS pfSense, again no luck, the result of the port test again failed.

Not sure what's going on and why. I have some concerns regarding asymmetric traffic, because from the traffic logs I see the mail server is trying to talk back to the port test website directly, and not via the VPS for some reason.

Any help would be appreciated

Bob.Dig

@lcs What VPN. Form where is that screenshot. Why is that disabled.

lcs

@Bob-Dig OpenVPN.
It is disabled, because it's not working and there's no point to be active as of now.
This NAT rule is on the VPS firewall

Bob.Dig

@lcs said in pfSense NAT rule to another pfSense:

Not sure what's going on and why. I have some concerns regarding asymmetric traffic, because from the traffic logs I see the mail server is trying to talk back to the port test website directly, and not via the VPS for some reason.

I would create a local rule which forces traffic towards port 25 out the VPN-Gateway.

viragomann

@lcs
On your home pfSense you have to assign an interface to the OpenVPN instance.

Then go to Firewall > rules > OpenVPN, edit the pass rule and change the interface to the new instance interface.

There must no pass rule on the OpenVPN tab match the incoming traffic from the VPS!
If you're running further OpenVPN instances either limit the pass rules to the respective source IP ranges (e.g. tunnel network if applicable) or as well assign interfaces to the other instances and define your rules on the respective interface tab.

lcs

@viragomann I have an interface for the OpenVPN and I have a pass rule.
I've mentioned in the first post, all resources accessible.
When I do Diagnostics -> Test Port from the VPS to the local pfSense I can see the port open and accessible.
But I cannot access the port from outside.

viragomann

@lcs said in pfSense NAT rule to another pfSense:

I have an interface for the OpenVPN and I have a pass rule.

Can you show it, please?

Remove or disable the SMTP port forwarding on WAN if you didn't this already.

Edit the pass rule and enable logging. Try to access your SMTP then and post the firewall log.

I've mentioned in the first post, all resources accessible.

Did not doubt on this.

lcs

@viragomann From the VPS via the VPN Tunnel to the mail server

NAT Rule on the VPS

OpenVPN Allow rule on the pfSense.local

Local rule forwaring the outbound traffic to the VPS

When doing an external port test:
on the VPS I see hits

On the packet CAP

On the local pfSense I also see hits, but from the IP of the port test website, not the VPS firewall

And the packet cap from the local firewall

viragomann

@lcs
I instructed you to remove all matching rules from the OpenVPN tab on the home pfSense. The communication would not work, if any pass rule there is matching the forwarded traffic!

lcs

@viragomann You are correct. If there's a matching rule it's not working.
Why is that ?
When I disabled the matching rules it started working as expected.

viragomann

@lcs
With the forwarding from the VPS you have incoming traffic from public sources on a non-default gateway. So responses from your SMTP server have to be directed back to the VPS.

To achieve this, pfSense can tag incoming traffic with the "reply-to" (gateway). This is done by the filter rule, which allow the traffic in. Without this traffic would be sent out to the default gateway.
However, to apply the reply-to tag, pfSense has know, which gateway to reply for plausible reasons. pfSense use the the gateway, which is assigned to the interface, which the rule is defined on.
But OpenVPN is not a certain interface, it is an interface group indeed, including all OpenVPN instances. And firewall rules on interface groups have priority over rule on member interface. Therefore such rule are probed first.

lcs

@viragomann Thanks for the clarification.