OpenVPN: Log and port forward question



  • Hi,

    I'm faily new to pfsense and have already asked parts of this question in the Firewalling Forum, but they where not able to help me with this.
    I got (nearly) everything running as needed. I'm currently running trough the firewall logs and try to identify issues with my setup.

    I'm running pfSense behind a FritzBox which does the dial in. The pfSense box only got one WAN and one LAN adapter. I got the OpenVPN Client tunneling all the LAN traffic to an external VPN Provider. I'm actually using the Multi GW solution posted here (pretty cool stuff). So, I'm having 2 connections to my VPN provider.
    I also made sure that no LAN clients can access any WAN destinations. I did this because I always want to tunnel all external traffic trough the VPN, no matter what happens.

    As said this is working fine and I'm happy with it, but by running troug my firewall logs I found the following.
    It seems that my Android Phone tries to contact google (varous different IP's) and other iP's every few minutes and this seems to be blocked by pfsense. My phone is functioning normally so I'm not seeing any issues on this end, but I want to make sure that these request are also pushed trough the VPN.

    My LAN Rules look like this. The 4th rule should make sure its pushing all traffic from the LAN net trough the VPN. The 3rd rule should make sure LAN Clients can communicate between each other. So, why are these logs from my phone happening at all ?

    Another question I'm having relates to port forwarding. I want to make sure that my MediaServer is reacable trough the VPN via a port I have configured. I'm completely clueless on what I need to do this. I know that this is possible, cause my VOIP phone here is fully functional and I have not done any configuration on my end. I had to do a portfarding rule on my router before the pfsense box. but now its working like a charm without any rules done by me. So, if you could help me confire this for my MediaServer too, that would be much appreciated.

    Thanks for taking the time and help me !  Please let me know if I need to supply more infos on this issue.



  • Nobody any Idea ?
    I thought that these where easy questions ?  :-\



  • Hi Satras,

    your second rule does not really do what you want I suppose but it depends on your configuration.
    This rule blocks traffic from your LAN subnet to the subnet which is connected on your pfsense WAN interface. This means the subnet between your fritzboc (LAN) and your pfsense (WAN). So it does not block the "internet" access. This doesn't matter because no other rule allows traffic to the internet but only your VPN gateway rule (rule 4)

    The Third rule is completly useless because it allows traffic from the same subnet to the same subnet. Traffic which happens in your subnet and between clients will never reach pfsense because this is done on layer 2 and on your switch.

    I am not sure if your VPNGW rule really works. Can you try to check your IP on www.pfsense.org/ip.php when going through the VPN tunnel and compare it with the IP you get when going through your internet? Just to really make sure you are using the tunnel.

    PortForwarding:
    I suppose you are using your FritzBox as a NAT router and pfsense is doing NAT again.
    I am using this, too, but I set a "DMZ host" on my fritzbox for the pfsense WAN interface. This means all traffic comes unfiltered from the internet to my pfsense. The advantage is that I only need to do portforwarding rules on my pfsense. Another advantage is that when creating pfsense portforwarding it creates the correct firewall rule, too.

    Hopefully someone else can help you more with your mediaserver / VPN situation.



  • Hi Nachtfalke,

    I will do some more test tomorrow evening with the 2nd rule, but I've tested this and I'm sure that if the VPN went down, my clients connected to the Internet using the WAN port.
    Thanks for the "hint" on rule 3…. ;)
    I've tested the 4th rule, and can confirm that it works as expected and I'm browsing with the VPN IP rather my "local" one.
    Thanks also for the DMZ Idea, I might use this too.

    I hope someone else is able to guide me on the Portforwarding using VPN too.
    Also, I would be keen to understand why the entrys in the logs are appearing.

    Thanks



  • When I took another look on the firewall logs it came up to my mind:
    http://doc.pfsense.org/index.php/What_are_TCP_Flags%3F

    The rules blocked only show "FIN" packets. In general this are packets which are sent to tell the sender that the connection can be closed. Depending on how long the firewall keeps a state alive it can happen that an application sends a "FIN" packet to the sender but the firewall still closed this connection because of a timeout and no traffic for this connection.

    When you search the forum you probably will find some other threads where people are talking about such a behaviour and it seems to be absolutly normal behaviour of a so called "statefull firewall" what pfsense is.

    Found something:
    http://forum.pfsense.org/index.php?topic=39960.0

    So nothing to worry about and the explanation above seems to be the solution why you did not notice any problems on your android phones.

    PS:
    Are you using PPPoE on pfsense or do you do PPPoE on your FritzBox?
    The suggestion with DMZ and so on depens on the fact that PPPoE is done on your FritzBox and pfsense WAN interface gets its IP by DHCP or static from your FritzBox.



  • Brilliant. I wasn't too sure what to search for, but this explains it exactly. I've also understood that there is nothing much I could do about it. I just wanted to make sure that my system is running smoothly. Thank you verry much for your Support !

    Yes the FritzBox is doing PPPoE (VDSL) currently as I'm sharing my Internet connection with someone. And he needs the VOIP bit on the box so I can't easily replace it. Also, I would need to buy a new Modem, so I leave it as it is for now.
    I'm in "testing Mode" with this server anyway, I wanted to so some testings with a full encrypted Internet connecting. So far its running pretty good.

    I just need someone to help/explain me that port forwarding bit.
    As said, I'm running a (2nd) SIP box in my network (1st one on the firtzbox) and when I had this connected to the fritzbox I needed to do port forwarding. Now with pfSense and the VPN this wasn't required. So I want to know what I need to do to reach my media Server as well.



  • http://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense%3F

    I suppose you setup your FritzBox to allow all ports to pfsense (DMZ Host" or "Unrestricted host":

    pfsense:
    firewall –> NAT --> PortForward
    Protocol: UDP (or whatever)
    Interface: WAN
    Source IP: any (this is the IP of any computer on the internet - almost always any)
    Source-Port: any (this is the Port of a computer on the internet - almost always any)
    Destination-IP: WAN address (this is your pfsense WAN address because the FritzBox forwarded this traffic already)
    Destination-Port: 12345 (the port your media server listen to)
    Redirect-IP: 192.168.100.20 (the LAN IP address of your media server on your LAN)
    Redirect-Port: 12345 (the port your media server listen to)

    This NAT rule can automatically create a firewall rule for this portforwarding what I would suggest.
    Then check that this firewall rule is placed on top of all other rules on your pfsense WAN interface.

    Remember:
    Outgoing traffic - from your LAN to www - will be done by your LAN firewall rules. You pointed it to your VPNGW. That is ok.
    Incoming traffic will probably come from somewhere on the www and connects to your WAN interface - your original IP. So you must set Firewall rules on the WAN interface.

    So even if you blocked outgoing traffic to user your original WAN connection it is possible to get incoming connections through this IP.
    But make sure that the connection to your media server on the web is encrypted and password protected. In such cases I would suggest to install an OpenVPN Server on pfsense and then connect from the www to your LAN/media server through this VPN tunnel. OpenVPN clients are available for Windows, Linux, Unis, Android, iOS, MacOS X



  • Hi,

    this is my current workaround, and it seems to work fine, but I want to route all traffic trough the tunnel. In and Out.

    Sadly, with this setup, the traffic is not routed trough the VPN.



  • Then you probably have to do PortForwarding on the OpenVPN interface.
    Anf of course the client on the internet which should connect to the media server needs to connect to the VPNs IP address.

    So it is the same as on WAN but you need to use the VPNs interface and IP address and so on.



  • Like this ?

    Does not seem to work. Need to check it a bit later from home to see if the IP has changed, but I can't access the Server trough the Tunnel.



  • I never configured such a scenarion but in general it looks ok.

    When copnnecting to the media server. Did you use the VPNs public IP?
    And perhaps configured on the "wrong" VPN interface. Not sure which tab is the correct one.



  • This did not do it, and yes I'm using the VPN's public IP.
    I did one port forward for every Interface, so this should work now.



  • I think I got it together. Will need to check tomorrow.

    Issue was that the VPN server I was connected to did not had Port Forwarding enabled. Seems I had the wrong IP :(



  • @Satras:

    I think I got it together. Will need to check tomorrow.

    Issue was that the VPN server I was connected to did not had Port Forwarding enabled. Seems I had the wrong IP :(

    So did you need to enable portforwarduing on OpenVPN interface on pfsense or just on the foreign VPN?



  • This is how I did it now.

    I might be able to remove the forward on the OpenVPN Adapter I guess, just need to do some more tests with this.

    Thank you very much for helping me with this.

    Edit:
    I did some cleanup. Only the 3rd rule was needed.



  • Thank you for your feedback :)


Log in to reply