[SOLVED]pfsense as openvpn client - issue with port forwarding
-
Hi guys
My pfsense act as a openvpn client. I have another server elsewhere which is my openvpn server.
My problem is with port forwarding from that server to internal network behind pfsense.My openvpn server details:
vpn ip: 10.8.0.1
external: 1.1.1.1psfsense details:
vpn ip: 10.8.0.10
external ip: 2.2.2.2Now my setup and what works when I try to telnet to the server behind pfsense
10.8.0.1 > telnet to 10.8.0.10 = works
telnet to 2.2.2.2 > nat 10.8.0.10 = works
telnet to 1.1.1.1 > nat 10.8.0.10 is not workingI have all the correct rules (i believe) in iptables on my vpn server, so I have a feeling that I am missing some rule on my pfsense so it can accept connections from my openvpn server when it's accessed via its external IP.
Hope you can help.
-
That won't work on 2.0.x because OpenVPN rules don't get reply-to.
If you need that to work you need to:
1. Upgrade to a 2.1 snapshot
2. If you haven't already, assign the OpenVPN interface under Interfaces > (assign), enable it, ip type = none.
3. Add the port forward on the assigned interface
4. Make sure the firewall rule is on the assigned interface also. -
thanks jimp. looks like I've got all that setup already, except that my pfsense is 2.0.2. I looked at the download links on the pfsense download section but I couldn't find any later version than the one I have already, even pfsense dashboard says i'm on the latest.
Where do i get the 2.1 version from?
-
can answer for myself http://snapshots.pfsense.org
I will try that today when i get home and will let you know guys.
-
it looks like this isn't fixing the problem. I have my pfsense upgraded to 2.1 version now.
I have checked the rules and everywhere looks good.
I have a rule allowing traffic on port 32005 for LAN interface, OPT intrface which is the TUN0 as well as on OpenVPN tab, and still nothing.Would that be iptables on the other end?? Below iptables from my openvpn server on the other end
Generated by iptables-save v1.4.8 on Mon Dec 3 16:25:31 2012
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [73567:12322231]
:FORWARD ACCEPT [145057:14167096]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -j ACCEPT
-A OUTPUT -j ACCEPT
-A OUTPUT -j ACCEPT
-A POSTROUTING -j ACCEPT
COMMITCompleted on Mon Dec 3 16:25:31 2012
Generated by iptables-save v1.4.8 on Mon Dec 3 16:25:31 2012
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:In_RULE_0 - [0:0]
:In_RULE_1 - [0:0]
:In_RULE_2 - [0:0]
:In_RULE_3 - [0:0]
:In_RULE_4 - [0:0]
:In_RULE_5 - [0:0]
:In_RULE_6 - [0:0]
:In_RULE_7 - [0:0]
-A INPUT -m state βstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
-A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p udp -m udp --dport 33434:33523 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.8.0.1/32 -i eth0 -p tcp -m tcp --dport 32005 -m state --state NEW -j In_RULE_0
-A FORWARD -d 10.8.0.1/32 -i eth0 -p tcp -m tcp --dport 34000 -m state --state NEW -j In_RULE_0
-A FORWARD -s 10.8.0.0/24 -j ACCEPT
-A FORWARD -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -j ACCEPT
-A In_RULE_0 -j LOG --log-prefix "RULE 0 -- ACCEPT " --log-level 6
-A In_RULE_0 -j ACCEPT
COMMITCompleted on Mon Dec 3 16:25:31 2012
Generated by iptables-save v1.4.8 on Mon Dec 3 16:25:31 2012
*nat
:PREROUTING ACCEPT [1746:107636]
:POSTROUTING ACCEPT [1431:77504]
:OUTPUT ACCEPT [13:865]
-A PREROUTING -d vpnip/32 -p tcp -m tcp βdport 32005 -j DNAT --to-destination 10.8.0.10:32005
-A PREROUTING -d vpnip/32 -p tcp -m tcp --dport 34000 -j DNAT --to-destination 10.8.0.10:34000
-A POSTROUTING -o eth0 -j SNAT --to-source vpnip
COMMITCompleted on Mon Dec 3 16:25:31 2012
-
Check /tmp/rules.debug, make sure it shows the rules for your openvpn interface, both the rdr and the pass rule, and post them here (or just post the whole /tmp/rules.debug)
-
From what i see all looks ok, but maybe you will be able to catch something. Just so you know, we are talking about interfaces russia and hostkey
$ cat /tmp/rules.debug
set limit tables 3000
set limit table-entries 200000
set optimization normal
set timeout { adaptive.start 0, adaptive.end 0 }
set limit states 102000
set limit src-nodes 102000#System aliases
loopback = "{ lo0 }"
WAN = "{ em0 }"
LAN = "{ em1 }"
RUSSIA = "{ em2 }"
HOSTKEY = "{ ovpnc1 }"
OpenVPN = "{ openvpn }"#SSH Lockout Table
table <sshlockout>persist
table <webconfiguratorlockout>persist
#Snort tables
table <snort2c>table <virusprot># User AliasesGateways
GWRussiaGW = " route-to ( em2 10.8.0.10 ) "
GWGW_OPT2 = " route-to ( ovpnc1 10.8.0.11 ) "
GWHOSTKEY_VPNV6 = " route-to ( ovpnc1 10.8.0.11 ) "set loginterface em1
set skip on pfsync0
scrub on $WAN all fragment reassemble
scrub on $LAN all fragment reassemble
scrub on $RUSSIA all fragment reassemble
scrub on $HOSTKEY all fragment reassembleno nat proto carp
no rdr proto carp
nat-anchor "natearly/"
nat-anchor "natrules/"Outbound NAT rules
nat on $WAN from 192.168.1.0/24 to any -> pfSense-External/32 port 1024:65535
nat on $WAN from 192.168.2.0/24 to any -> pfSense-External/32 port 1024:65535
nat on $HOSTKEY from 192.168.1.0/24 to 10.8.0.0/24 -> 10.8.0.10/32 port 1024:65535
nat on $HOSTKEY from 192.168.2.0/24 to 10.8.0.0/24 -> 10.8.0.10/32 port 1024:65535Load balancing anchor
rdr-anchor "relayd/*"
TFTP proxy
rdr-anchor "tftp-proxy/*"
table <vpn_networks>{ 10.10.10.0/24 }
table <negate_networks>{ 10.10.10.0/24 }NAT Inbound Redirects
rdr on em0 proto { tcp udp } from any to any port 22 -> 192.168.2.10
no nat on em0 proto tcp from (em0) to pfSense-External/32
nat on em0 proto tcp from pfSense-External/32 to 192.168.2.10 port 22 -> (em0)rdr on ovpnc1 proto { tcp udp } from any to any port 32005 -> 192.168.2.12
rdr on em0 proto { tcp udp } from any to any port 32005 -> 192.168.2.12
no nat on em0 proto tcp from (em0) to pfSense-External/32
nat on em0 proto tcp from pfSense-External/32 to 192.168.2.12 port 32005 -> (em0)rdr on openvpn proto { tcp udp } from any to any port 32005 -> 192.168.2.12
rdr on openvpn proto { tcp udp } from any to any port 34000 -> 192.168.2.12UPnPd rdr anchor
rdr-anchor "miniupnpd"
anchor "relayd/"
anchor "openvpn/"
anchor "ipsec/*"
#β-------------------------------------------------------------------------default deny rules
#---------------------------------------------------------------------------
block in log inet all label "Default deny rule IPv4"
block out log inet all label "Default deny rule IPv4"
block in log inet6 all label "Default deny rule IPv6"
block out log inet6 all label "Default deny rule IPv6"IPv6 ICMP is not auxilary, it is required for operation
See man icmp6(4)
1 unreach Destination unreachable
2 toobig Packet too big
128 echoreq Echo service request
129 echorep Echo service reply
133 routersol Router solicitation
134 routeradv Router advertisement
135 neighbrsol Neighbor solicitation
136 neighbradv Neighbor advertisement
pass quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} keep state
Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep)
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} keep stateWe use the mighty pf, we cannot be fooled.
block quick inet proto { tcp, udp } from any port = 0 to any
block quick inet proto { tcp, udp } from any to any port = 0
block quick inet6 proto { tcp, udp } from any port = 0 to any
block quick inet6 proto { tcp, udp } from any to any port = 0Snort package
block quick from <snort2c>to any label "Block snort2c hosts"
block quick from any to <snort2c>label "Block snort2c hosts"SSH lockout
block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"
webConfigurator lockout
block in log quick proto tcp from <webconfiguratorlockout>to any port 80 label "webConfiguratorlockout"
block in quick from <virusprot>to any label "virusprot overload table"
table <bogons>persist file "/etc/bogons"
table <bogonsv6>persist file "/etc/bogonsv6"block bogon networks
http://www.cymru.com/Documents/bogon-bn-nonagg.txt
http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt
block in log quick on $WAN from <bogons>to any label "block bogon IPv4 networks from WAN"
block in log quick on $WAN from <bogonsv6>to any label "block bogon IPv6 networks from WAN"
antispoof for em0block anything from private networks on interfaces with the option set
antispoof for $WAN
block in log quick on $WAN from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8"
block in log quick on $WAN from 127.0.0.0/8 to any label "Block private networks from WAN block 127/8"
block in log quick on $WAN from 100.64.0.0/10 to any label "Block private networks from WAN block 100.64/10"
block in log quick on $WAN from 172.16.0.0/12 to any label "Block private networks from WAN block 172.16/12"
block in log quick on $WAN from 192.168.0.0/16 to any label "Block private networks from WAN block 192.168/16"
block in log quick on $WAN from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7"
antispoof for em1allow access to DHCP server on LAN
pass in quick on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
pass in quick on $LAN proto udp from any port = 68 to 192.168.1.1 port = 67 label "allow access to DHCP server"
pass out quick on $LAN proto udp from 192.168.1.1 port = 67 to any port = 68 label "allow access to DHCP server"allow access to DHCP server on RUSSIA
pass in quick on $RUSSIA proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
pass in quick on $RUSSIA proto udp from any port = 68 to 192.168.2.1 port = 67 label "allow access to DHCP server"
pass out quick on $RUSSIA proto udp from 192.168.2.1 port = 67 to any port = 68 label "allow access to DHCP server"loopback
pass in on $loopback inet all label "pass IPv4 loopback"
pass out on $loopback inet all label "pass IPv4 loopback"
pass in on $loopback inet6 all label "pass IPv6 loopback"
pass out on $loopback inet6 all label "pass IPv6 loopback"let out anything from the firewall host itself and decrypted IPsec traffic
pass out inet all keep state allow-opts label "let out anything IPv4 from firewall host itself"
pass out inet6 all keep state allow-opts label "let out anything IPv6 from firewall host itself"
pass out route-to ( ovpnc1 10.8.0.11 ) from 10.8.0.10 to !10.8.0.10/32 keep state allow-opts label "let out anything from firewall host itself"make sure the user cannot lock himself out of the webConfigurator or SSH
pass in quick on em1 proto tcp from any to (em1) port { 80 22 } keep state label "anti-lockout rule"
User-defined rules follow
anchor "userrules/*"
pass in quick on $WAN proto tcp from any to pfSense-External port 80 flags S/SA keep state label "USER_RULE"
pass in quick on $WAN proto tcp from any to any port 22 flags S/SA keep state label "USER_RULE"
pass in quick on $WAN proto tcp from any to any port 32005 flags S/SA keep state label "USER_RULE"
pass in quick on $WAN proto udp from any to pfSense-External port 1194 keep state label "USER_RULE: OpenVPN WAN OpenVPN wizard"
pass in quick on $LAN from 192.168.1.0/24 to any keep state label "USER_RULE: Default allow LAN to any rule"
pass in quick on $OpenVPN from any to any keep state label "USER_RULE: OpenVPN WAN OpenVPN wizard"
pass in quick on $OpenVPN proto { tcp udp } from any to 192.168.2.12 port 32005 keep state label "USER_RULE: NAT "
pass in quick on $OpenVPN proto { tcp udp } from any to 192.168.2.12 port 34000 keep state label "USER_RULE: NAT "
pass in quick on $RUSSIA proto tcp from any to any port 32005 flags S/SA keep state label "USER_RULE"
pass in quick on $RUSSIA from 192.168.2.1/24 to any keep state label "USER_RULE"
pass in quick on $HOSTKEY reply-to ( ovpnc1 10.8.0.11 ) proto tcp from any to any port 32005 flags S/SA keep state label "USER_RULE"
pass in quick on $HOSTKEY reply-to ( ovpnc1 10.8.0.11 ) from any to any keep state label "USER_RULE"Automatic Pass rules for any delegated IPv6 prefixes through dynamic IPv6 clients
VPN Rules
anchor "tftp-proxy/*"</bogonsv6></bogons></bogonsv6></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></negate_networks></vpn_networks></virusprot></snort2c></webconfiguratorlockout></sshlockout>
-
Remove the rules from the openvpn tab. Only have them on the assigned interface. It's matching that and not the reply-to rule.
-
jimp this is working great right now.
Thank you very much for your help.
One thing that botheres me is, if there should be no rules on OpenVPN tab, why when creating a vpnserver on pfsense automaticaly creates that tcp rule?? -
You can have rules on the OpenVPN tab just make sure they don't match the traffic that would be coming over the assigned interface. Meaning, specify a proper source on the rules for other VPN instances and not just use 'any' or at least make sure that they don't match the same exact traffic as the rules on the assigned interface.
The wizard adds the any/any rule because most people don't want nor need to assign the VPN interface and just want to pass in all traffic from the VPN to their LAN or internal networks.