Port Forwarding from VPN Provider to Torrent Client

Nadar

@joelones:

Hi Nadar,

I'm not quite sure how to test this reliably (port forwarding to my internal ip). I tried running netcat (listening mode) on a random port on my internal utorrent box and then attempted to connect via the WAN with telnet, and it works. So that's fine. But to test the the incoming utorrent port has not worked. I noticed you used tcpdump to test this, can you elaborate on the steps involved in testing?

I'm running transmission on Debian - since you're referring to uTorrent, I'm guessing you're torrent machine is running Windows. WinDump is supposedly tcpdump's windows counterpart, but WinDump is a command line tool and I'd rather go for Wireshark on Windows. What I did was simply to watch traffic coming in to the correct IP and forwarded port, and then watch outgoing replies going back out to the same hosts shortly thereafter. That told me that the port fortwarding was working, and that the torrent client was replying. After that I couldn't figure out where the packets went, but if you read my later posts in this thread you can see that I think I found the cause of the problem: The return packets aren't affected by the policy routing and hence is going out the default gateway instead of the VPN connection.

@joelones:

I also have another problem. I have two vpn connections but I would like a script which runs on the pfsense box to go out on through a specific vpn, but it goes out through the wrong one. I'm not sure how to alter this behaviour in pfsense. I used policy routing as well.
In System->Routing->Gateway, the default gateway is the WAN. So at the very least I would expect traffic from the pfsense (192.168.1.1) box to out via the  WAN.

That part I know little nothing about, it all depends on the functions in the script and whether you can bind those to specific interfaces. You might for example create a Virtual IP on the pfSense box which you bind your script functions to, and then policy route everything from that virual IP out the correct gateway.

@joelones:

I also changed  System->Routing->Routes and added:

where PIANL is the interface I would like .1 traffic to go out from. It was working, for awhile at least…

I don't think you wanna do that, it's like creating a second default gateway and I don't know what the consequences of that will be. Rather, just as a test, go to the gateway tab and set the "port forwarding vpn interface" as the default gateway instead of your WAN just to test the port forwarding. In my case, that solves it, and the port forwarding works. It's not a solution however, because all kind of other traffic is supposed to go out the WAN interface and even if I used policy routing for this it would disable any port forwarding done on the WAN (like FTP etc). But, it's a nice test to estabilish where the problem is. The next question is then how to apply policy routing to packets that match the state table, that is packets that's being considered part of an incoming connection. I haven't figured out yet if pfSense has support for multiple routing tables, but that might be one possible solution - I'm simply not sure.

panz

@joelones:

I'm not quite sure how to test this reliably (port forwarding to my internal ip). I tried running netcat (listening mode) on a random port on my internal utorrent box and then attempted to connect via the WAN with telnet, and it works.

At this point, I can't see the purpose of the firewall!  :o

You've the box completely opened.  ;D

joelones

I gave up trying to forward from the pfsense box, instead I installed openvpn client on the torrent box which makes the vpn connection and requests the port from the PIA server. I figured it would be easier this way.

Although, I think no port forwarding needs to be done at the level pfsense, but I'm wondering if I need anything else for this work, other nat / rules.

I was able to run tcpdump from the torrent client (on the tun0 device) and from the exterior I telnetted into the PIA IP and forwarded port (which in turn forwards the same port on the virtual ip address) and I did see traffic on the same port. So I am assuming this is working?

However my upload speeds are not moving, and Im still wondering if I'm missing something. Can someone confirm if the output from the tcpdump makes sense (not real IPs)

Forwarded Port: 24900
PIA VPN IP: 109.12.33.34
VIRTUAL IP: 10.123.5.7

exterior:
telnet 109.12.33.34 24900

tcpdump on torrent client:

23:24:20.392117 IP 96.123.244.15.34878 > 10.123.5.7.24900: Flags [s], seq 803332574, win 14600, options [mss 1368,sackOK,TS val 155770005 ecr 0,nop,wscale 7], length 0
23:24:20.392143 IP 10.123.5.7.24900 > 96.123.244.15.34878: Flags [S.], seq 170698842, ack 803332575, win 14480, options [mss 1460,sackOK,TS val 3013110 ecr 155770005,nop,wscale 7], length 0
23:24:20.604061 IP 96.123.244.15.34878 > 10.123.5.7.24900: Flags [.], ack 1, win 115, options [nop,nop,TS val 155770068 ecr 3013110], length 0
23:24:20.604167 IP 10.123.5.7.24900 > 96.123.244.15.34878: Flags [F.], seq 1, ack 1, win 114, options [nop,nop,TS val 3013163 ecr 155770068], length 0
23:24:20.814180 IP 96.123.244.15.34878 > 10.123.5.7.24900: Flags [F.], seq 1, ack 2, win 115, options [nop,nop,TS val 155770131 ecr 3013163], length 0
23:24:20.814203 IP 10.123.5.7.24900 > 96.123.244.15.34878: Flags [.], ack 2, win 114, options [nop,nop,TS val 3013216 ecr 155770131], length 0[/s]

joelones

Bump^