[SOLVED]pfsense as openvpn client - issue with port forwarding



  • Hi guys
    My pfsense act as a openvpn client. I have another server elsewhere which is my openvpn server.
    My problem is with port forwarding from that server to internal network behind pfsense.

    My openvpn server details:
    vpn ip: 10.8.0.1
    external: 1.1.1.1

    psfsense details:
    vpn ip: 10.8.0.10
    external ip: 2.2.2.2

    Now my setup and what works when I try to telnet to the server behind pfsense
    10.8.0.1 > telnet to 10.8.0.10 = works
    telnet to 2.2.2.2 > nat 10.8.0.10 = works
    telnet to 1.1.1.1 > nat 10.8.0.10 is not working

    I have all the correct rules (i believe) in iptables on my vpn server, so I have a feeling that I am missing some rule on my pfsense so it can accept connections from my openvpn server when it's accessed via its external IP.

    Hope you can help.


  • Rebel Alliance Developer Netgate

    That won't work on 2.0.x because OpenVPN rules don't get reply-to.

    If you need that to work you need to:

    1. Upgrade to a 2.1 snapshot
    2. If you haven't already, assign the OpenVPN interface under Interfaces > (assign), enable it, ip type = none.
    3. Add the port forward on the assigned interface
    4. Make sure the firewall rule is on the assigned interface also.



  • thanks jimp. looks like I've got all that setup already, except that my pfsense is 2.0.2. I looked at the download links on the pfsense download section but I couldn't find any later version than the one I have already, even pfsense dashboard says i'm on the latest.

    Where do i get the 2.1 version from?



  • can answer for myself http://snapshots.pfsense.org

    I will try that today when i get home and will let you know guys.



  • it looks like this isn't fixing the problem. I have my pfsense upgraded to 2.1 version now.
    I have checked the rules and everywhere looks good.
    I have a rule allowing traffic on port 32005 for LAN interface, OPT intrface which is the TUN0 as well as on OpenVPN tab, and still nothing.

    Would that be iptables on the other end?? Below iptables from my openvpn server on the other end

    Generated by iptables-save v1.4.8 on Mon Dec  3 16:25:31 2012

    *mangle
    :PREROUTING ACCEPT [0:0]
    :INPUT ACCEPT [73567:12322231]
    :FORWARD ACCEPT [145057:14167096]
    :OUTPUT ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    -A PREROUTING -j ACCEPT
    -A OUTPUT -j ACCEPT
    -A OUTPUT -j ACCEPT
    -A POSTROUTING -j ACCEPT
    COMMIT

    Completed on Mon Dec  3 16:25:31 2012

    Generated by iptables-save v1.4.8 on Mon Dec  3 16:25:31 2012

    *filter
    :INPUT DROP [0:0]
    :FORWARD DROP [0:0]
    :OUTPUT DROP [0:0]
    :In_RULE_0 - [0:0]
    :In_RULE_1 - [0:0]
    :In_RULE_2 - [0:0]
    :In_RULE_3 - [0:0]
    :In_RULE_4 - [0:0]
    :In_RULE_5 - [0:0]
    :In_RULE_6 - [0:0]
    :In_RULE_7 - [0:0]
    -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -j ACCEPT
    -A INPUT -p udp -m udp --dport 1194 -j ACCEPT
    -A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
    -A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT
    -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
    -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
    -A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
    -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
    -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
    -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
    -A INPUT -p udp -m udp --dport 33434:33523 -j ACCEPT
    -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -d 10.8.0.1/32 -i eth0 -p tcp -m tcp --dport 32005 -m state --state NEW -j In_RULE_0
    -A FORWARD -d 10.8.0.1/32 -i eth0 -p tcp -m tcp --dport 34000 -m state --state NEW -j In_RULE_0 
    -A FORWARD -s 10.8.0.0/24 -j ACCEPT
    -A FORWARD -j ACCEPT
    -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A OUTPUT -j ACCEPT
    -A In_RULE_0 -j LOG --log-prefix "RULE 0 -- ACCEPT " --log-level 6
    -A In_RULE_0 -j ACCEPT
    COMMIT

    Completed on Mon Dec  3 16:25:31 2012

    Generated by iptables-save v1.4.8 on Mon Dec  3 16:25:31 2012

    *nat
    :PREROUTING ACCEPT [1746:107636]
    :POSTROUTING ACCEPT [1431:77504]
    :OUTPUT ACCEPT [13:865]
    -A PREROUTING -d vpnip/32 -p tcp -m tcp –dport 32005 -j DNAT --to-destination 10.8.0.10:32005
    -A PREROUTING -d vpnip/32 -p tcp -m tcp --dport 34000 -j DNAT --to-destination 10.8.0.10:34000
    -A POSTROUTING -o eth0 -j SNAT --to-source vpnip
    COMMIT

    Completed on Mon Dec  3 16:25:31 2012


  • Rebel Alliance Developer Netgate

    Check /tmp/rules.debug, make sure it shows the rules for your openvpn interface, both the rdr and the pass rule, and post them here (or just post the whole /tmp/rules.debug)



  • From what i see all looks ok, but maybe you will be able to catch something. Just so you know, we are talking about interfaces russia and hostkey

    $ cat /tmp/rules.debug
    set limit tables 3000
    set limit table-entries 200000
    set optimization normal
    set timeout { adaptive.start 0, adaptive.end 0 }
    set limit states 102000
    set limit src-nodes 102000

    #System aliases
     
    loopback = "{ lo0 }"
    WAN = "{ em0 }"
    LAN = "{ em1 }"
    RUSSIA = "{ em2 }"
    HOSTKEY = "{ ovpnc1 }"
    OpenVPN = "{ openvpn }"

    #SSH Lockout Table
    table <sshlockout>persist
    table <webconfiguratorlockout>persist
    #Snort tables
    table <snort2c>table <virusprot># User Aliases

    Gateways

    GWRussiaGW = " route-to ( em2 10.8.0.10 ) "
    GWGW_OPT2 = " route-to ( ovpnc1 10.8.0.11 ) "
    GWHOSTKEY_VPNV6 = " route-to ( ovpnc1 10.8.0.11 ) "

    set loginterface em1

    set skip on pfsync0

    scrub on $WAN all    fragment reassemble
    scrub on $LAN all    fragment reassemble
    scrub on $RUSSIA all    fragment reassemble
    scrub on $HOSTKEY all    fragment reassemble

    no nat proto carp
    no rdr proto carp
    nat-anchor "natearly/"
    nat-anchor "natrules/
    "

    Outbound NAT rules

    nat on $WAN  from 192.168.1.0/24 to any -> pfSense-External/32 port 1024:65535 
    nat on $WAN  from 192.168.2.0/24 to any -> pfSense-External/32 port 1024:65535 
    nat on $HOSTKEY  from 192.168.1.0/24 to 10.8.0.0/24 -> 10.8.0.10/32 port 1024:65535 
    nat on $HOSTKEY  from 192.168.2.0/24 to 10.8.0.0/24 -> 10.8.0.10/32 port 1024:65535

    Load balancing anchor

    rdr-anchor "relayd/*"

    TFTP proxy

    rdr-anchor "tftp-proxy/*"
    table <vpn_networks>{ 10.10.10.0/24 }
    table <negate_networks>{ 10.10.10.0/24 }

    NAT Inbound Redirects

    rdr on em0 proto { tcp udp } from any to any port 22 -> 192.168.2.10
    no nat on em0 proto tcp from (em0) to pfSense-External/32
    nat on em0 proto tcp from pfSense-External/32 to 192.168.2.10 port 22 -> (em0)

    rdr on ovpnc1 proto { tcp udp } from any to any port 32005 -> 192.168.2.12
    rdr on em0 proto { tcp udp } from any to any port 32005 -> 192.168.2.12
    no nat on em0 proto tcp from (em0) to pfSense-External/32
    nat on em0 proto tcp from pfSense-External/32 to 192.168.2.12 port 32005 -> (em0)

    rdr on openvpn proto { tcp udp } from any to any port 32005 -> 192.168.2.12
    rdr on openvpn proto { tcp udp } from any to any port 34000 -> 192.168.2.12

    UPnPd rdr anchor

    rdr-anchor "miniupnpd"

    anchor "relayd/"
    anchor "openvpn/
    "
    anchor "ipsec/*"
    #–-------------------------------------------------------------------------

    default deny rules

    #---------------------------------------------------------------------------
    block in log inet all label "Default deny rule IPv4"
    block out log inet all label "Default deny rule IPv4"
    block in log inet6 all label "Default deny rule IPv6"
    block out log inet6 all label "Default deny rule IPv6"

    IPv6 ICMP is not auxilary, it is required for operation

    See man icmp6(4)

    1    unreach        Destination unreachable

    2    toobig          Packet too big

    128  echoreq        Echo service request

    129  echorep        Echo service reply

    133  routersol      Router solicitation

    134  routeradv      Router advertisement

    135  neighbrsol      Neighbor solicitation

    136  neighbradv      Neighbor advertisement

    pass quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} keep state

    Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep)

    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} keep state

    We use the mighty pf, we cannot be fooled.

    block quick inet proto { tcp, udp } from any port = 0 to any
    block quick inet proto { tcp, udp } from any to any port = 0
    block quick inet6 proto { tcp, udp } from any port = 0 to any
    block quick inet6 proto { tcp, udp } from any to any port = 0

    Snort package

    block quick from <snort2c>to any label "Block snort2c hosts"
    block quick from any to <snort2c>label "Block snort2c hosts"

    SSH lockout

    block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"

    webConfigurator lockout

    block in log quick proto tcp from <webconfiguratorlockout>to any port 80 label "webConfiguratorlockout"
    block in quick from <virusprot>to any label "virusprot overload table"
    table <bogons>persist file "/etc/bogons"
    table <bogonsv6>persist file "/etc/bogonsv6"

    block bogon networks

    http://www.cymru.com/Documents/bogon-bn-nonagg.txt

    http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt

    block in log quick on $WAN from <bogons>to any label "block bogon IPv4 networks from WAN"
    block in log quick on $WAN from <bogonsv6>to any label "block bogon IPv6 networks from WAN"
    antispoof for em0

    block anything from private networks on interfaces with the option set

    antispoof for $WAN
    block in log quick on $WAN from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8"
    block in log quick on $WAN from 127.0.0.0/8 to any label "Block private networks from WAN block 127/8"
    block in log quick on $WAN from 100.64.0.0/10 to any label "Block private networks from WAN block 100.64/10"
    block in log quick on $WAN from 172.16.0.0/12 to any label "Block private networks from WAN block 172.16/12"
    block in log quick on $WAN from 192.168.0.0/16 to any label "Block private networks from WAN block 192.168/16"
    block in log quick on $WAN from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7"
    antispoof for em1

    allow access to DHCP server on LAN

    pass in quick on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
    pass in quick on $LAN proto udp from any port = 68 to 192.168.1.1 port = 67 label "allow access to DHCP server"
    pass out quick on $LAN proto udp from 192.168.1.1 port = 67 to any port = 68 label "allow access to DHCP server"

    allow access to DHCP server on RUSSIA

    pass in quick on $RUSSIA proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
    pass in quick on $RUSSIA proto udp from any port = 68 to 192.168.2.1 port = 67 label "allow access to DHCP server"
    pass out quick on $RUSSIA proto udp from 192.168.2.1 port = 67 to any port = 68 label "allow access to DHCP server"

    loopback

    pass in on $loopback inet all label "pass IPv4 loopback"
    pass out on $loopback inet all label "pass IPv4 loopback"
    pass in on $loopback inet6 all label "pass IPv6 loopback"
    pass out on $loopback inet6 all label "pass IPv6 loopback"

    let out anything from the firewall host itself and decrypted IPsec traffic

    pass out inet all keep state allow-opts label "let out anything IPv4 from firewall host itself"
    pass out inet6 all keep state allow-opts label "let out anything IPv6 from firewall host itself"
    pass out route-to ( ovpnc1 10.8.0.11 ) from 10.8.0.10 to !10.8.0.10/32 keep state allow-opts label "let out anything from firewall host itself"

    make sure the user cannot lock himself out of the webConfigurator or SSH

    pass in quick on em1 proto tcp from any to (em1) port { 80 22 } keep state label "anti-lockout rule"

    User-defined rules follow

    anchor "userrules/*"
    pass  in  quick  on $WAN  proto tcp  from any to pfSense-External port 80  flags S/SA keep state  label "USER_RULE"
    pass  in  quick  on $WAN  proto tcp  from any to any port 22  flags S/SA keep state  label "USER_RULE"
    pass  in  quick  on $WAN  proto tcp  from any to any port 32005  flags S/SA keep state  label "USER_RULE"
    pass  in  quick  on $WAN  proto udp  from any to pfSense-External port 1194  keep state  label "USER_RULE: OpenVPN WAN OpenVPN wizard"
    pass  in  quick  on $LAN  from 192.168.1.0/24 to any keep state  label "USER_RULE: Default allow LAN to any rule"
    pass  in  quick  on $OpenVPN  from any to any keep state  label "USER_RULE: OpenVPN WAN OpenVPN wizard"
    pass  in  quick  on $OpenVPN  proto { tcp udp }  from any to  192.168.2.12 port 32005  keep state  label "USER_RULE: NAT "
    pass  in  quick  on $OpenVPN  proto { tcp udp }  from any to  192.168.2.12 port 34000  keep state  label "USER_RULE: NAT "
    pass  in  quick  on $RUSSIA  proto tcp  from any to any port 32005  flags S/SA keep state  label "USER_RULE"
    pass  in  quick  on $RUSSIA  from 192.168.2.1/24 to any keep state  label "USER_RULE"
    pass  in  quick  on $HOSTKEY reply-to ( ovpnc1 10.8.0.11 )  proto tcp  from any to any port 32005  flags S/SA keep state  label "USER_RULE"
    pass  in  quick  on $HOSTKEY reply-to ( ovpnc1 10.8.0.11 )  from any to any keep state  label "USER_RULE"

    Automatic Pass rules for any delegated IPv6 prefixes through dynamic IPv6 clients

    VPN Rules

    anchor "tftp-proxy/*"</bogonsv6></bogons></bogonsv6></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></negate_networks></vpn_networks></virusprot></snort2c></webconfiguratorlockout></sshlockout>


  • Rebel Alliance Developer Netgate

    Remove the rules from the openvpn tab. Only have them on the assigned interface. It's matching that and not the reply-to rule.



  • jimp this is working great right now.

    Thank you very much for your help.
    One thing that botheres me is, if there should be no rules on OpenVPN tab, why when creating a vpnserver on pfsense automaticaly creates that tcp rule??


  • Rebel Alliance Developer Netgate

    You can have rules on the OpenVPN tab just make sure they don't match the traffic that would be coming over the assigned interface. Meaning, specify a proper source on the rules for other VPN instances and not just use 'any' or at least make sure that they don't match the same exact traffic as the rules on the assigned interface.

    The wizard adds the any/any rule because most people don't want nor need to assign the VPN interface and just want to pass in all traffic from the VPN to their LAN or internal networks.


Locked