2 pfSense + Site to Site VPN + NAT

BThunderW

Help! I'm completely stuck on this.

I have a two pfSense firewall setup. One firewall is at a datacenter, the other at home. I'm running a site-to-site VPN using OpenVPN. I'm trying to port-forward a port from the WAN ip at the datacenter to an ip at home via the VPN link. No matter what I do, the connection doesn't work.

The configuration is as follows

Datacenter WAN -> OpenVPN Server (DC) -> OpenVPN Client (Home) -> Home LAN
66.240.XX.XX -> 172.16.2.1 -> 172.16.2.2 -> 192.168.77.0/24

the VPN connection works fine. I can ping any ip from home at the dc and vice versa. The VPN connections have a interface assigned and firewalls are right now configured to allow all traffic on them.

Ideally I'd like to be able to arbitrarily port forward from data center to a home server but right now I'm trying to set up port 25 forwarding to a server at home

My NAT configuration is

DC
NAT 66.240.XX.XX:25 -> 172.16.2.2:25

Home:
NAT 172.16.2.2:25 -> 192.168.77.13:25

This doesn't seem to work and I can't figure out why. Pretty sure this has something to do with outbound NAT but that's a total mystery to me.

Anyone can help please?

jimp

You can't port forward across an OpenVPN tunnel on pfSense 2.0.x.

It can be done on pfSense 2.1. On the target side, you need to have the OpenVPN interface assigned and enabled (IP type of 'none') and have the firewall rules to pass in the traffic on the interface tab for the VPN and not the 'openvpn' tab – that tab should not have any rules to match the traffic.

The reason that works is, when assigned, the VPN gets an automatic gateway. And on 2.1, rules on the assigned VPN interface will have reply-to added to send the traffic back out the VPN when it comes in that way.

Without reply-to, the packets go from the source side to the target side across the VPN, but the replies go back out the WAN rather than flowing back through the VPN.

BThunderW

Ok Thanks. I guess for now I can just create some sort of workaround until 2.1 becomes more stable.

ahuser

Hi i have a similar configuration but another problem.

I run pfsense 2.1 in a Datacenter and one Pfsense 2.0.3 in my homeoffice.
I have the same config but with openvpn interfaces.

66.240.XX.XX:80 Datacenter <> ( OpenVPN Tunnel 10.0.4.0/30) <> 192.168.0.0/24

My problem is the source ip address from each client that connect to the datacenter.
e.g a client connect with port 80 to datacenter alias ip 66.240.XX.XX:80 an nat rule forward this request over openvpn tunnel to my homeoffice webserver 192.168.0.10
and now when i check on the webserver with tcpdump the incoming traffic is see the public ip adress of the client. (109.193.193.64).
The Problem is now the pfsense in my homeoffice route this ip over the default gateway and not back over the tunnel network to datacenter.

i have try some nat rules and outbound ruls but without any positive results.

have you an idee?

Regards & thanks
Andreas

phil.davis

@jimp:

You can't port forward across an OpenVPN tunnel on pfSense 2.0.x.

It can be done on pfSense 2.1. On the target side, you need to have the OpenVPN interface assigned and enabled (IP type of 'none') and have the firewall rules to pass in the traffic on the interface tab for the VPN and not the 'openvpn' tab – that tab should not have any rules to match the traffic.

The reason that works is, when assigned, the VPN gets an automatic gateway. And on 2.1, rules on the assigned VPN interface will have reply-to added to send the traffic back out the VPN when it comes in that way.

Without reply-to, the packets go from the source side to the target side across the VPN, but the replies go back out the WAN rather than flowing back through the VPN.

@ahuser - you will need 2.1 at the home end (the "target side" in Jim's comments above). It needs the reply-to at your home end to send the packets back across the OpenVPN. 2.1 works great for me with OpenVPN links, so IMHO a home office upgrade to 2.1-RC0 is low-risk.

BThunderW

It works! The bolded part is the key!

I can confirm that this in fact works fine in 2.0.1 and 2.0.3. I didn't have to configure outbound NAT on the home side either.

So basically I have a NAT rule at the DC on WAN interface where the "Redirect target IP" is an IP of the server at home.

@jimp:

You can't port forward across an OpenVPN tunnel on pfSense 2.0.x.

It can be done on pfSense 2.1. On the target side, you need to have the OpenVPN interface assigned and enabled (IP type of 'none') and have the firewall rules to pass in the traffic on the interface tab for the VPN and not the 'openvpn' tab – that tab should not have any rules to match the traffic.

The reason that works is, when assigned, the VPN gets an automatic gateway. And on 2.1, rules on the assigned VPN interface will have reply-to added to send the traffic back out the VPN when it comes in that way.

Without reply-to, the packets go from the source side to the target side across the VPN, but the replies go back out the WAN rather than flowing back through the VPN.