Port Forwarding from VPN Provider…

killerb81

Hi guys, I have searched around for an answer and can't come up with a thing.

I have a VPN provider (Private Internet Access), they allow you to forward one (and only one) port through the VPN tunnel back to your computer.  This single forwarded port is usually used for the listening port for torrent transfers, it ensures that you're connectable.

So, with this particular VPN provider you can either download their client program and install it on the machine you wish to send through the VPN or, like in my case, you can setup the VPN connection on your router and route all your LAN traffic through it.

If you want to forward a port, it's real simple if you're using their client program.  You just check a box saying "Port Forwarding" and when you connect a pop-up tells you which port is being forwarded to you. 
Until recently that was the only way to do it, now they've allowed users connecting other ways other than their client to forward a port but it involves some type of scripting.

This is the part I don't know how to do, there's a thread on it on their forum site ( https://www.privateinternetaccess.com/forum/index.php?p=/discussion/180/port-forwarding-without-the-application-advanced-users ), but nowhere does it mention pfSense specifically.

My question is, how can this be done in pfSense?  Is there some kind of scripting interface that can run a certain bunch of code every so often and return a port number somehow?

I hope there's someone out there who can help.

Thanks a lot!!

jimp

It won't work unless you're on 2.1, but you can do it like so:

Interfaces > (assign), assign the OpenVPN interface (ovpncX) as a new OPT
Interfaces > OPTx (whatever you just made)
Enable, set IP type to 'none', save.
VPN > OpenVPN, edit/save the VPN once to make sure it's reinitialized (needed just this one time right after interface assignment)

Then just add a port forward as you would on any other WAN.

killerb81

I have the VPN connection setup and working already.
Are you telling me how to set it up?

My question is about the forwarded port…  my VPN provider will forward a port to me, but I don't know which one... it could be different everytime you connect.
If you don't connect using their client software (which is the easy way to find out what number the forwarded port is), then you have to use the script that's in the thread above to determine which port number you have been forwarded.

That's what I want to know how to do in pfSense.

Am I making sense?

jimp

Yes but forwarding a port in on a VPN interface won't work unless you have it assigned and if you're running pfSense 2.1.

Even if you figure out how to forward the "right" port, on 2.0.x the return traffic won't go back over the VPN for the port forward.

Just letting you know that so you don't get one half figured out and then wonder why it still doesn't work.

Shouldn't be terribly difficult to write a script to update a port alias in a cron job with the results of that script.

killerb81

Oh ok, I see…

But I think I have it setup already.  Here's what I have:

Two OpenVPN clients connected to two different servers (one in the US, and one in Canada).
I wanted certain computers to go through specific tunnels.
For example, AppleTV to go to the US server, desktop computer to go to Canada server... etc...

That's all setup already and I have traffic leaving my LAN on going through the right tunnels.

Do I have to do anything further (what you're saying above), in order to make sure the return traffic is going through the tunnel?
Because ALL the traffic for the computer I want to forward that port to is already going through the right tunnel.

Also,  what's a cron job?

naughtycamel

@jimp:

Even if you figure out how to forward the "right" port, on 2.0.x the return traffic won't go back over the VPN for the port forward.

I have pfsense configured with a DHCP assigned address on the WAN interface, VPN interface is set as default gateway, LAN interface assigns IP, DNS, and Gateway addresses to a single "protected" host via DHCP. Does this make return path more likely to work?

Requirements are as simple as I can make them for now. I'll add complexity later. Just having this work has a lot of value.

eddie4

I think there is some confusion.

PFSense 2.0 with PIA VPN
Works

PFSense 2.0 with PIA VPN and portforwarding
Doesn't work

PFSense 2.1 with PIA VPN and portforwarding
Works but a script is needed to get a port from PIA and update NAT rule.

I don't have the knowledge or skill to make a script but we might be able to Post a bounty. I don't think it will require too much time for someone who knows what he is doing.

EDIT:

PIA= privateinternetaccess.com

I just realized that there is no reason to run the script on PFSense, so you could use one of the scripts that is already on the site. Which just made this task a lot easier but still running it on PFSense would be a far nicer approach as you can update your nat rules.

naughtycamel

@eddie4:

I just realized that there is no reason to run the script on PFSense, so you could use one of the scripts that is already on the site. Which just made this task a lot easier but still running it on PFSense would be a far nicer approach as you can update your nat rules.

Yes. As I understand the reply-to functionality for releases prior to 2.1 do not work for OpenVPN tunnels. Not certain if pf is the issue or pfSense. I got port forwarding to work with a static rule by following suggestions from jimp as posted above.

I already have a script partially working as descirbed in this thread:
http://forum.pfsense.org/index.php/topic,60341.0.html

Having previously used iptables on Tomato isn't helping because the model and the tools for pf are very, very different and cause me to make incorrect assumptions. Hopefully I can have something usable soon.

joelones

naughtycamel, I was just wondering if you got this working?

I am new to pfsense so I am struggling with the basics but I'd like to get this working as I too have PIA and would like to dynamically update the firewall rules to enable port forwarding (port given to me from PIA) and update my torrent client on another VM.

Is this possible?

EDIT: so I created a script (on the pfsense VM) which is able to get the forwarded port (which PIA assigns) and I am able to update that port on my torrent client which resides on another VM. The Openvpn connection is established on the pfsense.

I'm just not sure just what needs to be done on the pfsense VM to foward that port to the internal torrent client.

Please, thoughts?

joelones

jimp, you think I can get your help with my similar issue?

http://forum.pfsense.org/index.php/topic,65230.0.html

much appreciated

killerb81

What do you mean by "internal torrent client"?
I'd be interested in having a look at your scripting.

Any chance you could post it?