• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

[SOLVED]pfsense as openvpn client - issue with port forwarding

Scheduled Pinned Locked Moved OpenVPN
10 Posts 2 Posters 20.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    makbet
    last edited by Jan 23, 2013, 9:13 AM Jan 22, 2013, 9:18 AM

    Hi guys
    My pfsense act as a openvpn client. I have another server elsewhere which is my openvpn server.
    My problem is with port forwarding from that server to internal network behind pfsense.

    My openvpn server details:
    vpn ip: 10.8.0.1
    external: 1.1.1.1

    psfsense details:
    vpn ip: 10.8.0.10
    external ip: 2.2.2.2

    Now my setup and what works when I try to telnet to the server behind pfsense
    10.8.0.1 > telnet to 10.8.0.10 = works
    telnet to 2.2.2.2 > nat 10.8.0.10 = works
    telnet to 1.1.1.1 > nat 10.8.0.10 is not working

    I have all the correct rules (i believe) in iptables on my vpn server, so I have a feeling that I am missing some rule on my pfsense so it can accept connections from my openvpn server when it's accessed via its external IP.

    Hope you can help.

    1 Reply Last reply Reply Quote 0
    • J
      jimp Rebel Alliance Developer Netgate
      last edited by Jan 22, 2013, 1:20 PM

      That won't work on 2.0.x because OpenVPN rules don't get reply-to.

      If you need that to work you need to:

      1. Upgrade to a 2.1 snapshot
      2. If you haven't already, assign the OpenVPN interface under Interfaces > (assign), enable it, ip type = none.
      3. Add the port forward on the assigned interface
      4. Make sure the firewall rule is on the assigned interface also.

      Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • M
        makbet
        last edited by Jan 22, 2013, 2:25 PM

        thanks jimp. looks like I've got all that setup already, except that my pfsense is 2.0.2. I looked at the download links on the pfsense download section but I couldn't find any later version than the one I have already, even pfsense dashboard says i'm on the latest.

        Where do i get the 2.1 version from?

        1 Reply Last reply Reply Quote 0
        • M
          makbet
          last edited by Jan 22, 2013, 2:29 PM

          can answer for myself http://snapshots.pfsense.org

          I will try that today when i get home and will let you know guys.

          1 Reply Last reply Reply Quote 0
          • M
            makbet
            last edited by Jan 22, 2013, 9:25 PM

            it looks like this isn't fixing the problem. I have my pfsense upgraded to 2.1 version now.
            I have checked the rules and everywhere looks good.
            I have a rule allowing traffic on port 32005 for LAN interface, OPT intrface which is the TUN0 as well as on OpenVPN tab, and still nothing.

            Would that be iptables on the other end?? Below iptables from my openvpn server on the other end

            Generated by iptables-save v1.4.8 on Mon Dec  3 16:25:31 2012

            *mangle
            :PREROUTING ACCEPT [0:0]
            :INPUT ACCEPT [73567:12322231]
            :FORWARD ACCEPT [145057:14167096]
            :OUTPUT ACCEPT [0:0]
            :POSTROUTING ACCEPT [0:0]
            -A PREROUTING -j ACCEPT
            -A OUTPUT -j ACCEPT
            -A OUTPUT -j ACCEPT
            -A POSTROUTING -j ACCEPT
            COMMIT

            Completed on Mon Dec  3 16:25:31 2012

            Generated by iptables-save v1.4.8 on Mon Dec  3 16:25:31 2012

            *filter
            :INPUT DROP [0:0]
            :FORWARD DROP [0:0]
            :OUTPUT DROP [0:0]
            :In_RULE_0 - [0:0]
            :In_RULE_1 - [0:0]
            :In_RULE_2 - [0:0]
            :In_RULE_3 - [0:0]
            :In_RULE_4 - [0:0]
            :In_RULE_5 - [0:0]
            :In_RULE_6 - [0:0]
            :In_RULE_7 - [0:0]
            -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
            -A INPUT -j ACCEPT
            -A INPUT -p udp -m udp --dport 1194 -j ACCEPT
            -A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
            -A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT
            -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
            -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
            -A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
            -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
            -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
            -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
            -A INPUT -p udp -m udp --dport 33434:33523 -j ACCEPT
            -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
            -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
            -A FORWARD -d 10.8.0.1/32 -i eth0 -p tcp -m tcp --dport 32005 -m state --state NEW -j In_RULE_0
            -A FORWARD -d 10.8.0.1/32 -i eth0 -p tcp -m tcp --dport 34000 -m state --state NEW -j In_RULE_0 
            -A FORWARD -s 10.8.0.0/24 -j ACCEPT
            -A FORWARD -j ACCEPT
            -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
            -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
            -A OUTPUT -j ACCEPT
            -A In_RULE_0 -j LOG --log-prefix "RULE 0 -- ACCEPT " --log-level 6
            -A In_RULE_0 -j ACCEPT
            COMMIT

            Completed on Mon Dec  3 16:25:31 2012

            Generated by iptables-save v1.4.8 on Mon Dec  3 16:25:31 2012

            *nat
            :PREROUTING ACCEPT [1746:107636]
            :POSTROUTING ACCEPT [1431:77504]
            :OUTPUT ACCEPT [13:865]
            -A PREROUTING -d vpnip/32 -p tcp -m tcp –dport 32005 -j DNAT --to-destination 10.8.0.10:32005
            -A PREROUTING -d vpnip/32 -p tcp -m tcp --dport 34000 -j DNAT --to-destination 10.8.0.10:34000
            -A POSTROUTING -o eth0 -j SNAT --to-source vpnip
            COMMIT

            Completed on Mon Dec  3 16:25:31 2012

            1 Reply Last reply Reply Quote 0
            • J
              jimp Rebel Alliance Developer Netgate
              last edited by Jan 22, 2013, 10:12 PM

              Check /tmp/rules.debug, make sure it shows the rules for your openvpn interface, both the rdr and the pass rule, and post them here (or just post the whole /tmp/rules.debug)

              Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • M
                makbet
                last edited by Jan 22, 2013, 11:28 PM

                From what i see all looks ok, but maybe you will be able to catch something. Just so you know, we are talking about interfaces russia and hostkey

                $ cat /tmp/rules.debug
                set limit tables 3000
                set limit table-entries 200000
                set optimization normal
                set timeout { adaptive.start 0, adaptive.end 0 }
                set limit states 102000
                set limit src-nodes 102000

                #System aliases
                 
                loopback = "{ lo0 }"
                WAN = "{ em0 }"
                LAN = "{ em1 }"
                RUSSIA = "{ em2 }"
                HOSTKEY = "{ ovpnc1 }"
                OpenVPN = "{ openvpn }"

                #SSH Lockout Table
                table <sshlockout>persist
                table <webconfiguratorlockout>persist
                #Snort tables
                table <snort2c>table <virusprot># User Aliases

                Gateways

                GWRussiaGW = " route-to ( em2 10.8.0.10 ) "
                GWGW_OPT2 = " route-to ( ovpnc1 10.8.0.11 ) "
                GWHOSTKEY_VPNV6 = " route-to ( ovpnc1 10.8.0.11 ) "

                set loginterface em1

                set skip on pfsync0

                scrub on $WAN all    fragment reassemble
                scrub on $LAN all    fragment reassemble
                scrub on $RUSSIA all    fragment reassemble
                scrub on $HOSTKEY all    fragment reassemble

                no nat proto carp
                no rdr proto carp
                nat-anchor "natearly/"
                nat-anchor "natrules/
                "

                Outbound NAT rules

                nat on $WAN  from 192.168.1.0/24 to any -> pfSense-External/32 port 1024:65535 
                nat on $WAN  from 192.168.2.0/24 to any -> pfSense-External/32 port 1024:65535 
                nat on $HOSTKEY  from 192.168.1.0/24 to 10.8.0.0/24 -> 10.8.0.10/32 port 1024:65535 
                nat on $HOSTKEY  from 192.168.2.0/24 to 10.8.0.0/24 -> 10.8.0.10/32 port 1024:65535

                Load balancing anchor

                rdr-anchor "relayd/*"

                TFTP proxy

                rdr-anchor "tftp-proxy/*"
                table <vpn_networks>{ 10.10.10.0/24 }
                table <negate_networks>{ 10.10.10.0/24 }

                NAT Inbound Redirects

                rdr on em0 proto { tcp udp } from any to any port 22 -> 192.168.2.10
                no nat on em0 proto tcp from (em0) to pfSense-External/32
                nat on em0 proto tcp from pfSense-External/32 to 192.168.2.10 port 22 -> (em0)

                rdr on ovpnc1 proto { tcp udp } from any to any port 32005 -> 192.168.2.12
                rdr on em0 proto { tcp udp } from any to any port 32005 -> 192.168.2.12
                no nat on em0 proto tcp from (em0) to pfSense-External/32
                nat on em0 proto tcp from pfSense-External/32 to 192.168.2.12 port 32005 -> (em0)

                rdr on openvpn proto { tcp udp } from any to any port 32005 -> 192.168.2.12
                rdr on openvpn proto { tcp udp } from any to any port 34000 -> 192.168.2.12

                UPnPd rdr anchor

                rdr-anchor "miniupnpd"

                anchor "relayd/"
                anchor "openvpn/
                "
                anchor "ipsec/*"
                #–-------------------------------------------------------------------------

                default deny rules

                #---------------------------------------------------------------------------
                block in log inet all label "Default deny rule IPv4"
                block out log inet all label "Default deny rule IPv4"
                block in log inet6 all label "Default deny rule IPv6"
                block out log inet6 all label "Default deny rule IPv6"

                IPv6 ICMP is not auxilary, it is required for operation

                See man icmp6(4)

                1    unreach        Destination unreachable

                2    toobig          Packet too big

                128  echoreq        Echo service request

                129  echorep        Echo service reply

                133  routersol      Router solicitation

                134  routeradv      Router advertisement

                135  neighbrsol      Neighbor solicitation

                136  neighbradv      Neighbor advertisement

                pass quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} keep state

                Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep)

                pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} keep state
                pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} keep state
                pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} keep state
                pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} keep state
                pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} keep state

                We use the mighty pf, we cannot be fooled.

                block quick inet proto { tcp, udp } from any port = 0 to any
                block quick inet proto { tcp, udp } from any to any port = 0
                block quick inet6 proto { tcp, udp } from any port = 0 to any
                block quick inet6 proto { tcp, udp } from any to any port = 0

                Snort package

                block quick from <snort2c>to any label "Block snort2c hosts"
                block quick from any to <snort2c>label "Block snort2c hosts"

                SSH lockout

                block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"

                webConfigurator lockout

                block in log quick proto tcp from <webconfiguratorlockout>to any port 80 label "webConfiguratorlockout"
                block in quick from <virusprot>to any label "virusprot overload table"
                table <bogons>persist file "/etc/bogons"
                table <bogonsv6>persist file "/etc/bogonsv6"

                block bogon networks

                http://www.cymru.com/Documents/bogon-bn-nonagg.txt

                http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt

                block in log quick on $WAN from <bogons>to any label "block bogon IPv4 networks from WAN"
                block in log quick on $WAN from <bogonsv6>to any label "block bogon IPv6 networks from WAN"
                antispoof for em0

                block anything from private networks on interfaces with the option set

                antispoof for $WAN
                block in log quick on $WAN from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8"
                block in log quick on $WAN from 127.0.0.0/8 to any label "Block private networks from WAN block 127/8"
                block in log quick on $WAN from 100.64.0.0/10 to any label "Block private networks from WAN block 100.64/10"
                block in log quick on $WAN from 172.16.0.0/12 to any label "Block private networks from WAN block 172.16/12"
                block in log quick on $WAN from 192.168.0.0/16 to any label "Block private networks from WAN block 192.168/16"
                block in log quick on $WAN from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7"
                antispoof for em1

                allow access to DHCP server on LAN

                pass in quick on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
                pass in quick on $LAN proto udp from any port = 68 to 192.168.1.1 port = 67 label "allow access to DHCP server"
                pass out quick on $LAN proto udp from 192.168.1.1 port = 67 to any port = 68 label "allow access to DHCP server"

                allow access to DHCP server on RUSSIA

                pass in quick on $RUSSIA proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
                pass in quick on $RUSSIA proto udp from any port = 68 to 192.168.2.1 port = 67 label "allow access to DHCP server"
                pass out quick on $RUSSIA proto udp from 192.168.2.1 port = 67 to any port = 68 label "allow access to DHCP server"

                loopback

                pass in on $loopback inet all label "pass IPv4 loopback"
                pass out on $loopback inet all label "pass IPv4 loopback"
                pass in on $loopback inet6 all label "pass IPv6 loopback"
                pass out on $loopback inet6 all label "pass IPv6 loopback"

                let out anything from the firewall host itself and decrypted IPsec traffic

                pass out inet all keep state allow-opts label "let out anything IPv4 from firewall host itself"
                pass out inet6 all keep state allow-opts label "let out anything IPv6 from firewall host itself"
                pass out route-to ( ovpnc1 10.8.0.11 ) from 10.8.0.10 to !10.8.0.10/32 keep state allow-opts label "let out anything from firewall host itself"

                make sure the user cannot lock himself out of the webConfigurator or SSH

                pass in quick on em1 proto tcp from any to (em1) port { 80 22 } keep state label "anti-lockout rule"

                User-defined rules follow

                anchor "userrules/*"
                pass  in  quick  on $WAN  proto tcp  from any to pfSense-External port 80  flags S/SA keep state  label "USER_RULE"
                pass  in  quick  on $WAN  proto tcp  from any to any port 22  flags S/SA keep state  label "USER_RULE"
                pass  in  quick  on $WAN  proto tcp  from any to any port 32005  flags S/SA keep state  label "USER_RULE"
                pass  in  quick  on $WAN  proto udp  from any to pfSense-External port 1194  keep state  label "USER_RULE: OpenVPN WAN OpenVPN wizard"
                pass  in  quick  on $LAN  from 192.168.1.0/24 to any keep state  label "USER_RULE: Default allow LAN to any rule"
                pass  in  quick  on $OpenVPN  from any to any keep state  label "USER_RULE: OpenVPN WAN OpenVPN wizard"
                pass  in  quick  on $OpenVPN  proto { tcp udp }  from any to  192.168.2.12 port 32005  keep state  label "USER_RULE: NAT "
                pass  in  quick  on $OpenVPN  proto { tcp udp }  from any to  192.168.2.12 port 34000  keep state  label "USER_RULE: NAT "
                pass  in  quick  on $RUSSIA  proto tcp  from any to any port 32005  flags S/SA keep state  label "USER_RULE"
                pass  in  quick  on $RUSSIA  from 192.168.2.1/24 to any keep state  label "USER_RULE"
                pass  in  quick  on $HOSTKEY reply-to ( ovpnc1 10.8.0.11 )  proto tcp  from any to any port 32005  flags S/SA keep state  label "USER_RULE"
                pass  in  quick  on $HOSTKEY reply-to ( ovpnc1 10.8.0.11 )  from any to any keep state  label "USER_RULE"

                Automatic Pass rules for any delegated IPv6 prefixes through dynamic IPv6 clients

                VPN Rules

                anchor "tftp-proxy/*"</bogonsv6></bogons></bogonsv6></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></negate_networks></vpn_networks></virusprot></snort2c></webconfiguratorlockout></sshlockout>

                1 Reply Last reply Reply Quote 0
                • J
                  jimp Rebel Alliance Developer Netgate
                  last edited by Jan 23, 2013, 12:39 AM

                  Remove the rules from the openvpn tab. Only have them on the assigned interface. It's matching that and not the reply-to rule.

                  Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • M
                    makbet
                    last edited by Jan 23, 2013, 9:13 AM

                    jimp this is working great right now.

                    Thank you very much for your help.
                    One thing that botheres me is, if there should be no rules on OpenVPN tab, why when creating a vpnserver on pfsense automaticaly creates that tcp rule??

                    1 Reply Last reply Reply Quote 0
                    • J
                      jimp Rebel Alliance Developer Netgate
                      last edited by Jan 23, 2013, 1:26 PM

                      You can have rules on the OpenVPN tab just make sure they don't match the traffic that would be coming over the assigned interface. Meaning, specify a proper source on the rules for other VPN instances and not just use 'any' or at least make sure that they don't match the same exact traffic as the rules on the assigned interface.

                      The wizard adds the any/any rule because most people don't want nor need to assign the VPN interface and just want to pass in all traffic from the VPN to their LAN or internal networks.

                      Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      7 out of 10
                      • First post
                        7/10
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                        This community forum collects and processes your personal information.
                        consent.not_received