Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    can a firewall connection route packets ?

    Scheduled Pinned Locked Moved
    OpenVPN
    2
    2
    386
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      coreybrett
      last edited by

      I noticed that I am able to establish an RDP connection that I wouldn't have expected to work.

      I have a router (Site A) with an OpenVPN server for mobile clients. The same router has a server for site to site with (Site B).

      The Site B router does not have routes configured for the mobile client network on Site A (it does have a route for Site A's LAN net).

      From a mobile client connected to Site A, I am able to establish an RDP connection to a box on the LAN of Site B.

      Does the established firewall connection on Site B's router allow packets from Site's B LAN to be routed back to Site A over the VPN link even thou there is no route in the routers table for the destination network ?

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @coreybrett
        last edited by

        @coreybrett said in can a firewall connection route packets ?:

        Does the established firewall connection on Site B's router allow packets from Site's B LAN to be routed back

        If incoming traffic was allowed to reach 'a place', the firewall (router) states will handle the traffic going back.

        Your example :
        With your phone as a VPN client, you can connect to the VPN server, site A. The firewall rules of the VPN server on site A will decide 'where' you can go.
        Let's presume a "pass all" so you can go to every known address on site A.
        So you can access, site A, pfSense itself, all all its LAN type interfaces, and why not, all it's available WAN interfaces, and one of the WAN interfaces is probably the VPN "site to site" link that connects Site A to Site B.
        So, if your phone, using the VPN to site A, wants to access an IP address that exists on site B, and pfSense Site A knows that that IP (network) is reachable somewhere on Site B, it will transfer your phone traffic to Site B over the existing route, your site to site (VPN) connection.
        Traffic coming in Site B will, if local firewall rules allow it, reach the final IP.

        The traffic going back, as traffic is a dual direction stream, will be handled by all the routers involved. That's the beauty of using stateful router/firewalls.

        After all, when you set up a connection to www.facebook.com through I don't know how many routers, the traffic reaches Facebook.
        And - now your are not surprised ( ? ! ) - that you get an answer back.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.