Forward range of ports to a single port



  • Hi,

    I'm trying to setup two OpenVPN server's that will listen on my WAN interface, one on UDP 1194, the other on TCP 1194.  Ideally I'd then create two forwarding rules, one for UDP and one for TCP, that forward a large range of ports (essentially 1-65535) to a single port (1194), thereby having the OpenVPN server essentially listening on all ports.  This is quite easy to do using iptables in Linux but I can't recreate it within pfSense's GUI, which only seems to allow 1:1 mapping of a range of ports to a range of ports.  Am I missing something?

    This is to ensure that if I'm out on the road, hotel, cafe wifi, etc. that I have as many options as possible to get around restrictive outbound firewalling.

    Thanks!

    Colin



  • Just set them up on 80, 443 and one other port not usually associated with VPN or proxy but above the service ports.  If those are closed to you, they will all be closed.



  • He's right. 443 and 53 are your best bets. Most firewalls don't attempt protocol enforcement on port 443 so you should be able to make socket connections with non-SSL protocols. Just forward those few ports, one in each rule. I personally forward to localhost:1194 and not the interface address (I presume it goes through one less layer then).


  • Rebel Alliance Developer Netgate

    You can't do that in one simple/easy pf rule. If you forward a range the target range must be of identical size. So if you forward 100-200 to target:500, that means it would really go from 500-600. There isn't a way around that except to do individual rules.

    Port sharing tcp/443 with a live HTTPS server would probably work, and udp/53 works from more places than you'd think (and sometimes can even bypass captive portals)

    So if you use a few strategic ports you won't need to forward a whole range.

    Some suggestions:
    tcp: 53, 80, 443, 8080, 21, 22, 113, 143
    udp: 53, 443 (some people use "tcp/udp" on rules that they shouldn't!), 123, 161, 514



  • Thanks for the responses everyone, I'll go with the suggested ports!



  • Well - Its good to know we can think like thieves when we need to.



  • Wouldn’t it be nice if you could specify a list of comma seperated ports when doing the wizard set-up, have all the ports auto open and end up with something like this auto dumped into the client config…. And have it try each in order exhaustively.  But that would take all the fun out of setup I guess.
    Of course a single server would only listen on one port and the others would be redirects.

    remote mysite.net 53 udp
    remote mysite.net 443 udp
    remote mysite.net 123 udp
    remote mysite.net 161 udp
    remote mysite.net 514 udp
    remote mysite.net 1194 udp
    remote mysite.net 53 tcp
    remote mysite.net 80 tcp
    remote mysite.net 443 tcp
    remote mysite.net 8080 tcp
    remote mysite.net 21 tcp
    remote mysite.net 22 tcp
    remote mysite.net 143 tcp



  • Could try using the remote-random option I guess?  Not in order but a good way to sit back and let it figure out what is open for you.  Might also want to use –connect-retry to lower how long it waits in between connection attempts.



  • Yeah - I know I can put it into the config myself.  I bet it will eventually show up in pfsense as an automatic option.



  • @jimp:

    Some suggestions:
    tcp: 53, 80, 443, 8080, 21, 22, 113, 143
    udp: 53, 443 (some people use "tcp/udp" on rules that they shouldn't!), 123, 161, 514

    I have OpenVPN servers on TCP & UDP 443 with a single firewall rule on the WAN to pass this traffic to the WAN interface - IPv4 TCP/UDP port 443.
    Is that bad for some reason?


  • Rebel Alliance Developer Netgate

    No, that's fine if it's intentional. I was referring to using ports to "break out" of someone else's network.

    Say you're at a Hotel or Coffee shop that has strict outbound policies that would deny access to all but port 80 and 443 and maybe DNS. If they accidentally use TCP/UDP on their 80 and 443 rules you could sneak out of their network by using OpenVPN on UDP port 443.



  • Got it… Sorry, I misinterpreted what you were getting at.
    That's why I run both as UDP is preferred, but you have that fallback  ;)