Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can only connect to VPN from internal network not from External

    Scheduled Pinned Locked Moved OpenVPN
    16 Posts 2 Posters 667 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E Offline
      evang @johnpoz
      last edited by

      @johnpoz

      This is what I have for that interface

      Screenshot 2024-10-05 at 11.36.12 AM.png

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ Online
        johnpoz LAYER 8 Global Moderator @evang
        last edited by

        @evang as I thought that is a rfc1918 address 192.168.x.x - so unless you forward port 1194 on that router in front of pfsense that has your public IP on it to this 192.168.x.x of pfsense. Pfsense would never see any traffic to allow for making a openvpn connection on port 1194

        It might be better to remove that router from your network.. If it is providing wifi, move it to be behind pfsense and just use it as an Access Point.

        Users also confuse modem and gateway, if that device you call is actually a gateway and not a true say cable modem only and a gateway that is a modem/router combo then you could be behind 2 nats before pfsense wan IP.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

        E 1 Reply Last reply Reply Quote 0
        • E Offline
          evang @johnpoz
          last edited by

          @johnpoz

          I may take your advice on moving the router behind it but I may do that later down the road. I went into my router settings and found the port forwarding settings. Does this look correct?

          Screenshot 2024-10-05 at 12.36.54 PM.png

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ Online
            johnpoz LAYER 8 Global Moderator @evang
            last edited by

            @evang yeah that should work.. As long as this router actually has a public IP on its wan, and not behind another nat device that your calling a modem on your drawing.. and that 192.168.x.x address is pfsense wan IP.

            btw little reason to hide a rfc1918 address.. They do not route on the internet, and everyone uses them as well.

            For example my lan is 192.168.9.0/24 with my pc on 192.168.9.100 and pfsense IP is 192.168.9.253 - is there something you could glean from that info? That would give any clue to where I am at? Might as well tell you I live on the planet earth ;)

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

            E 1 Reply Last reply Reply Quote 0
            • E Offline
              evang @johnpoz
              last edited by

              @johnpoz

              You are 100% correct that would not provide any insight at all lol, Still learning so forgive me.
              How would I verify if my router has a public IP? I have a netgear router

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ Online
                johnpoz LAYER 8 Global Moderator @evang
                last edited by johnpoz

                @evang you should be able to look on your netgear router gui for its wan info.. What is the model number of the thing your calling a modem in your drawing.. From the model number can tell you if just a modem, or a gateway (modem/router combo) for example I have a arris S33 it just a cable modem.. not nat.

                Another way to tell if that device is a gateway - does it have more than 1 ethernet ports.. Some new modems have 2, mine has 1 1ge and another 2.5ge interface.. But if it has like 4 or something that yeah its a gateway and just not a modem.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                E 1 Reply Last reply Reply Quote 0
                • E Offline
                  evang @johnpoz
                  last edited by

                  @johnpoz

                  My modem is a Netgear CM700. I think it is just a modem so no NAT. I am not seeing in the settings where the public IP of my Router is

                  johnpozJ 1 Reply Last reply Reply Quote 0
                  • johnpozJ Online
                    johnpoz LAYER 8 Global Moderator @evang
                    last edited by

                    @evang what netgear is it? yeah a cm700 is just a modem.. So the netgear should have public on it.. If you go to like whats my IP that should be what your public is so yeah setting the port forward on there should work - if your ddns is pointing to the correct IP.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                    E 1 Reply Last reply Reply Quote 0
                    • E Offline
                      evang @johnpoz
                      last edited by

                      @johnpoz

                      I got it working now! Thank you so much! So, lessons learned here. If I want to access resources behind a router, I will need to use port forwarding in order to properly route the traffic to that machine. Correct?

                      johnpozJ 1 Reply Last reply Reply Quote 0
                      • johnpozJ Online
                        johnpoz LAYER 8 Global Moderator @evang
                        last edited by

                        @evang yeah and you have 2 nat routers so you would have to port forward twice if you have something behind pfsense

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.