[SOLVED]pfsense as openvpn client - issue with port forwarding

makbet

Hi guys
My pfsense act as a openvpn client. I have another server elsewhere which is my openvpn server.
My problem is with port forwarding from that server to internal network behind pfsense.

My openvpn server details:
vpn ip: 10.8.0.1
external: 1.1.1.1

psfsense details:
vpn ip: 10.8.0.10
external ip: 2.2.2.2

Now my setup and what works when I try to telnet to the server behind pfsense
10.8.0.1 > telnet to 10.8.0.10 = works
telnet to 2.2.2.2 > nat 10.8.0.10 = works
telnet to 1.1.1.1 > nat 10.8.0.10 is not working

I have all the correct rules (i believe) in iptables on my vpn server, so I have a feeling that I am missing some rule on my pfsense so it can accept connections from my openvpn server when it's accessed via its external IP.

Hope you can help.

jimp

That won't work on 2.0.x because OpenVPN rules don't get reply-to.

If you need that to work you need to:

1. Upgrade to a 2.1 snapshot
2. If you haven't already, assign the OpenVPN interface under Interfaces > (assign), enable it, ip type = none.
3. Add the port forward on the assigned interface
4. Make sure the firewall rule is on the assigned interface also.

makbet

thanks jimp. looks like I've got all that setup already, except that my pfsense is 2.0.2. I looked at the download links on the pfsense download section but I couldn't find any later version than the one I have already, even pfsense dashboard says i'm on the latest.

Where do i get the 2.1 version from?

makbet

can answer for myself http://snapshots.pfsense.org

I will try that today when i get home and will let you know guys.

makbet

it looks like this isn't fixing the problem. I have my pfsense upgraded to 2.1 version now.
I have checked the rules and everywhere looks good.
I have a rule allowing traffic on port 32005 for LAN interface, OPT intrface which is the TUN0 as well as on OpenVPN tab, and still nothing.

Would that be iptables on the other end?? Below iptables from my openvpn server on the other end

Generated by iptables-save v1.4.8 on Mon Dec 3 16:25:31 2012

*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [73567:12322231]
:FORWARD ACCEPT [145057:14167096]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -j ACCEPT
-A OUTPUT -j ACCEPT
-A OUTPUT -j ACCEPT
-A POSTROUTING -j ACCEPT
COMMIT

Completed on Mon Dec 3 16:25:31 2012

Generated by iptables-save v1.4.8 on Mon Dec 3 16:25:31 2012

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:In_RULE_0 - [0:0]
:In_RULE_1 - [0:0]
:In_RULE_2 - [0:0]
:In_RULE_3 - [0:0]
:In_RULE_4 - [0:0]
:In_RULE_5 - [0:0]
:In_RULE_6 - [0:0]
:In_RULE_7 - [0:0]
-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
-A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p udp -m udp --dport 33434:33523 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.8.0.1/32 -i eth0 -p tcp -m tcp --dport 32005 -m state --state NEW -j In_RULE_0
-A FORWARD -d 10.8.0.1/32 -i eth0 -p tcp -m tcp --dport 34000 -m state --state NEW -j In_RULE_0
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -j ACCEPT
-A In_RULE_0 -j LOG --log-prefix "RULE 0 -- ACCEPT " --log-level 6
-A In_RULE_0 -j ACCEPT
COMMIT

Completed on Mon Dec 3 16:25:31 2012

Generated by iptables-save v1.4.8 on Mon Dec 3 16:25:31 2012

*nat
:PREROUTING ACCEPT [1746:107636]
:POSTROUTING ACCEPT [1431:77504]
:OUTPUT ACCEPT [13:865]
-A PREROUTING -d vpnip/32 -p tcp -m tcp –dport 32005 -j DNAT --to-destination 10.8.0.10:32005
-A PREROUTING -d vpnip/32 -p tcp -m tcp --dport 34000 -j DNAT --to-destination 10.8.0.10:34000
-A POSTROUTING -o eth0 -j SNAT --to-source vpnip
COMMIT

Completed on Mon Dec 3 16:25:31 2012

jimp

Check /tmp/rules.debug, make sure it shows the rules for your openvpn interface, both the rdr and the pass rule, and post them here (or just post the whole /tmp/rules.debug)

makbet

From what i see all looks ok, but maybe you will be able to catch something. Just so you know, we are talking about interfaces russia and hostkey

$ cat /tmp/rules.debug
set limit tables 3000
set limit table-entries 200000
set optimization normal
set timeout { adaptive.start 0, adaptive.end 0 }
set limit states 102000
set limit src-nodes 102000

#System aliases

loopback = "{ lo0 }"
WAN = "{ em0 }"
LAN = "{ em1 }"
RUSSIA = "{ em2 }"
HOSTKEY = "{ ovpnc1 }"
OpenVPN = "{ openvpn }"

#SSH Lockout Table
table <sshlockout>persist
table <webconfiguratorlockout>persist
#Snort tables
table <snort2c>table <virusprot># User Aliases

Gateways

GWRussiaGW = " route-to ( em2 10.8.0.10 ) "
GWGW_OPT2 = " route-to ( ovpnc1 10.8.0.11 ) "
GWHOSTKEY_VPNV6 = " route-to ( ovpnc1 10.8.0.11 ) "

set loginterface em1

set skip on pfsync0

scrub on $WAN all fragment reassemble
scrub on $LAN all fragment reassemble
scrub on $RUSSIA all fragment reassemble
scrub on $HOSTKEY all fragment reassemble

no nat proto carp
no rdr proto carp
nat-anchor "natearly/"
nat-anchor "natrules/"

Outbound NAT rules

nat on $WAN from 192.168.1.0/24 to any -> pfSense-External/32 port 1024:65535
nat on $WAN from 192.168.2.0/24 to any -> pfSense-External/32 port 1024:65535
nat on $HOSTKEY from 192.168.1.0/24 to 10.8.0.0/24 -> 10.8.0.10/32 port 1024:65535
nat on $HOSTKEY from 192.168.2.0/24 to 10.8.0.0/24 -> 10.8.0.10/32 port 1024:65535

Load balancing anchor

rdr-anchor "relayd/*"

TFTP proxy

rdr-anchor "tftp-proxy/*"
table <vpn_networks>{ 10.10.10.0/24 }
table <negate_networks>{ 10.10.10.0/24 }

NAT Inbound Redirects

rdr on em0 proto { tcp udp } from any to any port 22 -> 192.168.2.10
no nat on em0 proto tcp from (em0) to pfSense-External/32
nat on em0 proto tcp from pfSense-External/32 to 192.168.2.10 port 22 -> (em0)

rdr on ovpnc1 proto { tcp udp } from any to any port 32005 -> 192.168.2.12
rdr on em0 proto { tcp udp } from any to any port 32005 -> 192.168.2.12
no nat on em0 proto tcp from (em0) to pfSense-External/32
nat on em0 proto tcp from pfSense-External/32 to 192.168.2.12 port 32005 -> (em0)

rdr on openvpn proto { tcp udp } from any to any port 32005 -> 192.168.2.12
rdr on openvpn proto { tcp udp } from any to any port 34000 -> 192.168.2.12

UPnPd rdr anchor

rdr-anchor "miniupnpd"

anchor "relayd/"
anchor "openvpn/"
anchor "ipsec/*"
#–-------------------------------------------------------------------------

default deny rules

#---------------------------------------------------------------------------
block in log inet all label "Default deny rule IPv4"
block out log inet all label "Default deny rule IPv4"
block in log inet6 all label "Default deny rule IPv6"
block out log inet6 all label "Default deny rule IPv6"

IPv6 ICMP is not auxilary, it is required for operation

See man icmp6(4)

1 unreach Destination unreachable

2 toobig Packet too big

128 echoreq Echo service request

129 echorep Echo service reply

133 routersol Router solicitation

134 routeradv Router advertisement

135 neighbrsol Neighbor solicitation

136 neighbradv Neighbor advertisement

pass quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} keep state

Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep)

pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} keep state

We use the mighty pf, we cannot be fooled.

block quick inet proto { tcp, udp } from any port = 0 to any
block quick inet proto { tcp, udp } from any to any port = 0
block quick inet6 proto { tcp, udp } from any port = 0 to any
block quick inet6 proto { tcp, udp } from any to any port = 0

Snort package

block quick from <snort2c>to any label "Block snort2c hosts"
block quick from any to <snort2c>label "Block snort2c hosts"

SSH lockout

block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"

webConfigurator lockout

block in log quick proto tcp from <webconfiguratorlockout>to any port 80 label "webConfiguratorlockout"
block in quick from <virusprot>to any label "virusprot overload table"
table <bogons>persist file "/etc/bogons"
table <bogonsv6>persist file "/etc/bogonsv6"

block bogon networks

http://www.cymru.com/Documents/bogon-bn-nonagg.txt

http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt

block in log quick on $WAN from <bogons>to any label "block bogon IPv4 networks from WAN"
block in log quick on $WAN from <bogonsv6>to any label "block bogon IPv6 networks from WAN"
antispoof for em0

block anything from private networks on interfaces with the option set

antispoof for $WAN
block in log quick on $WAN from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8"
block in log quick on $WAN from 127.0.0.0/8 to any label "Block private networks from WAN block 127/8"
block in log quick on $WAN from 100.64.0.0/10 to any label "Block private networks from WAN block 100.64/10"
block in log quick on $WAN from 172.16.0.0/12 to any label "Block private networks from WAN block 172.16/12"
block in log quick on $WAN from 192.168.0.0/16 to any label "Block private networks from WAN block 192.168/16"
block in log quick on $WAN from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7"
antispoof for em1

allow access to DHCP server on LAN

pass in quick on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
pass in quick on $LAN proto udp from any port = 68 to 192.168.1.1 port = 67 label "allow access to DHCP server"
pass out quick on $LAN proto udp from 192.168.1.1 port = 67 to any port = 68 label "allow access to DHCP server"

allow access to DHCP server on RUSSIA

pass in quick on $RUSSIA proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
pass in quick on $RUSSIA proto udp from any port = 68 to 192.168.2.1 port = 67 label "allow access to DHCP server"
pass out quick on $RUSSIA proto udp from 192.168.2.1 port = 67 to any port = 68 label "allow access to DHCP server"

loopback

pass in on $loopback inet all label "pass IPv4 loopback"
pass out on $loopback inet all label "pass IPv4 loopback"
pass in on $loopback inet6 all label "pass IPv6 loopback"
pass out on $loopback inet6 all label "pass IPv6 loopback"

let out anything from the firewall host itself and decrypted IPsec traffic

pass out inet all keep state allow-opts label "let out anything IPv4 from firewall host itself"
pass out inet6 all keep state allow-opts label "let out anything IPv6 from firewall host itself"
pass out route-to ( ovpnc1 10.8.0.11 ) from 10.8.0.10 to !10.8.0.10/32 keep state allow-opts label "let out anything from firewall host itself"

make sure the user cannot lock himself out of the webConfigurator or SSH

pass in quick on em1 proto tcp from any to (em1) port { 80 22 } keep state label "anti-lockout rule"

User-defined rules follow

anchor "userrules/*"
pass in quick on $WAN proto tcp from any to pfSense-External port 80 flags S/SA keep state label "USER_RULE"
pass in quick on $WAN proto tcp from any to any port 22 flags S/SA keep state label "USER_RULE"
pass in quick on $WAN proto tcp from any to any port 32005 flags S/SA keep state label "USER_RULE"
pass in quick on $WAN proto udp from any to pfSense-External port 1194 keep state label "USER_RULE: OpenVPN WAN OpenVPN wizard"
pass in quick on $LAN from 192.168.1.0/24 to any keep state label "USER_RULE: Default allow LAN to any rule"
pass in quick on $OpenVPN from any to any keep state label "USER_RULE: OpenVPN WAN OpenVPN wizard"
pass in quick on $OpenVPN proto { tcp udp } from any to 192.168.2.12 port 32005 keep state label "USER_RULE: NAT "
pass in quick on $OpenVPN proto { tcp udp } from any to 192.168.2.12 port 34000 keep state label "USER_RULE: NAT "
pass in quick on $RUSSIA proto tcp from any to any port 32005 flags S/SA keep state label "USER_RULE"
pass in quick on $RUSSIA from 192.168.2.1/24 to any keep state label "USER_RULE"
pass in quick on $HOSTKEY reply-to ( ovpnc1 10.8.0.11 ) proto tcp from any to any port 32005 flags S/SA keep state label "USER_RULE"
pass in quick on $HOSTKEY reply-to ( ovpnc1 10.8.0.11 ) from any to any keep state label "USER_RULE"

Automatic Pass rules for any delegated IPv6 prefixes through dynamic IPv6 clients

VPN Rules

anchor "tftp-proxy/*"</bogonsv6></bogons></bogonsv6></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></negate_networks></vpn_networks></virusprot></snort2c></webconfiguratorlockout></sshlockout>

jimp

Remove the rules from the openvpn tab. Only have them on the assigned interface. It's matching that and not the reply-to rule.

makbet

jimp this is working great right now.

Thank you very much for your help.
One thing that botheres me is, if there should be no rules on OpenVPN tab, why when creating a vpnserver on pfsense automaticaly creates that tcp rule??

jimp

You can have rules on the OpenVPN tab just make sure they don't match the traffic that would be coming over the assigned interface. Meaning, specify a proper source on the rules for other VPN instances and not just use 'any' or at least make sure that they don't match the same exact traffic as the rules on the assigned interface.

The wizard adds the any/any rule because most people don't want nor need to assign the VPN interface and just want to pass in all traffic from the VPN to their LAN or internal networks.