Port forwarding to pfsense openvpn client



  • Hi guys
    My pfsense act as a openvpn client. I have another server elsewhere which is my openvpn server.
    My problem is with port forwarding from that server to internal network behind pfsense.

    port 5060from OVPN SERVER 10.0.0.1 => OVPN Client (pfsense) 10.0.0.6 => Lan client (192.168.1.3)

    I can ping the server from any LAN  PC/device, also the server can ping the psfsense openvpn client.
    I have all the correct rules in windows firewall on my vpn server, so I have a feeling that I am missing some rule on my pfsense so it can forward port connection to LAN PC.

    Hope you can help.

    Windows server firewall log:

    
    2013-10-04 23:43:40 ALLOW UDP 10.0.0.1 10.0.0.6 5060 5060 0 - - - - - - - SEND
    
    

    Port Forward:

    Rule:

    /tmp/rules.debug

    
    set limit tables 3000
    set optimization normal
    set timeout { adaptive.start 0, adaptive.end 0 }
    set limit states 330000
    set limit src-nodes 330000
    
    #System aliases
    
    loopback = "{ lo0 }"
    WAN = "{ alc0 }"
    LAN = "{ fxp0 }"
    VPNINTERFACE = "{ ovpnc1 }"
    OpenVPN = "{ openvpn }"
    
    #SSH Lockout Table
    table <sshlockout>persist
    table <webconfiguratorlockout>persist
    #Snort tables
    table <snort2c>table <virusprot>table <bogons>persist file "/etc/bogons"
    table <bogonsv6>persist file "/etc/bogonsv6"
    table <negate_networks># User Aliases 
    
    # Gateways
    GWVPNGatewaw = " route-to ( ovpnc1 10.0.0.5 ) "
    GWWAN_DHCP = " route-to ( alc0 192.168.5.1 ) "
    GWVPNINTERFACE_VPNV6 = " route-to ( ovpnc1 10.0.0.5 ) "
    
    set loginterface fxp0
    
    set skip on pfsync0
    
    scrub on $WAN all    fragment reassemble
    scrub on $LAN all    fragment reassemble
    scrub on $VPNINTERFACE all    fragment reassemble
    
    no nat proto carp
    no rdr proto carp
    nat-anchor "natearly/*"
    nat-anchor "natrules/*"
    
    # Outbound NAT rules
    nat on $WAN  from 192.168.1.0/24 to any port 500 -> 192.168.5.3/32  static-port
    nat on $WAN  from 192.168.1.0/24 to any -> 192.168.5.3/32 port 1024:65535  
    nat on $WAN  from 127.0.0.0/8 to any -> 192.168.5.3/32 port 1024:65535  
    nat on $VPNINTERFACE  from 192.168.1.0/24 to any port 500 -> 10.0.0.6/32  static-port
    nat on $VPNINTERFACE  from 192.168.1.0/24 to any -> 10.0.0.6/32 port 1024:65535  
    nat on $VPNINTERFACE  from 127.0.0.0/8 to any -> 10.0.0.6/32 port 1024:65535  
    
    # Load balancing anchor
    rdr-anchor "relayd/*"
    # TFTP proxy
    rdr-anchor "tftp-proxy/*"
    # NAT Inbound Redirects
    rdr on ovpnc1 proto { tcp udp } from any to 10.0.0.6 port 5060 -> 192.168.1.3
    rdr on ovpnc1 proto { tcp udp } from any to 10.0.0.6 port 5060 -> 192.168.1.3
    # UPnPd rdr anchor
    rdr-anchor "miniupnpd"
    
    anchor "relayd/*"
    anchor "openvpn/*"
    anchor "ipsec/*"
    #---------------------------------------------------------------------------
    # default deny rules
    #---------------------------------------------------------------------------
    block in log inet all label "Default deny rule IPv4"
    block out log inet all label "Default deny rule IPv4"
    block in log inet6 all label "Default deny rule IPv6"
    block out log inet6 all label "Default deny rule IPv6"
    
    # IPv6 ICMP is not auxilary, it is required for operation
    # See man icmp6(4)
    # 1    unreach         Destination unreachable
    # 2    toobig          Packet too big
    # 128  echoreq         Echo service request
    # 129  echorep         Echo service reply
    # 133  routersol       Router solicitation
    # 134  routeradv       Router advertisement
    # 135  neighbrsol      Neighbor solicitation
    # 136  neighbradv      Neighbor advertisement
    pass quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} keep state
    
    # Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep)
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} keep state
    
    # We use the mighty pf, we cannot be fooled.
    block quick inet proto { tcp, udp } from any port = 0 to any
    block quick inet proto { tcp, udp } from any to any port = 0
    block quick inet6 proto { tcp, udp } from any port = 0 to any
    block quick inet6 proto { tcp, udp } from any to any port = 0
    
    # Snort package
    block quick from <snort2c>to any label "Block snort2c hosts"
    block quick from any to <snort2c>label "Block snort2c hosts"
    
    # SSH lockout
    block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"
    
    # webConfigurator lockout
    block in log quick proto tcp from <webconfiguratorlockout>to any port 443 label "webConfiguratorlockout"
    block in quick from <virusprot>to any label "virusprot overload table"
    # block bogon networks
    # http://www.cymru.com/Documents/bogon-bn-nonagg.txt
    # http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt
    block in log quick on $WAN from <bogons>to any label "block bogon IPv4 networks from WAN"
    block in log quick on $WAN from <bogonsv6>to any label "block bogon IPv6 networks from WAN"
    antispoof for alc0
    # block anything from private networks on interfaces with the option set
    antispoof for $WAN
    block in log quick on $WAN from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8"
    block in log quick on $WAN from 127.0.0.0/8 to any label "Block private networks from WAN block 127/8"
    block in log quick on $WAN from 100.64.0.0/10 to any label "Block private networks from WAN block 100.64/10"
    block in log quick on $WAN from 172.16.0.0/12 to any label "Block private networks from WAN block 172.16/12"
    block in log quick on $WAN from 192.168.0.0/16 to any label "Block private networks from WAN block 192.168/16"
    block in log quick on $WAN from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7"
    # allow our DHCP client out to the WAN
    pass in on $WAN proto udp from any port = 67 to any port = 68 label "allow dhcp client out WAN"
    pass out on $WAN proto udp from any port = 68 to any port = 67 label "allow dhcp client out WAN"
    # Not installing DHCP server firewall rules for WAN which is configured for DHCP.
    antispoof for fxp0
    # allow access to DHCP server on LAN
    pass in quick on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
    pass in quick on $LAN proto udp from any port = 68 to 192.168.1.1 port = 67 label "allow access to DHCP server"
    pass out quick on $LAN proto udp from 192.168.1.1 port = 67 to any port = 68 label "allow access to DHCP server"
    # allow access to DHCPv6 server on LAN
    # We need inet6 icmp for stateless autoconfig and dhcpv6
    pass quick on $LAN inet6 proto udp from fe80::/10 to fe80::/10 port = 546 label "allow access to DHCPv6 server"
    pass quick on $LAN inet6 proto udp from fe80::/10 to ff02::/16 port = 546 label "allow access to DHCPv6 server"
    pass quick on $LAN inet6 proto udp from fe80::/10 to ff02::/16 port = 547 label "allow access to DHCPv6 server"
    pass quick on $LAN inet6 proto udp from ff02::/16 to fe80::/10 port = 547 label "allow access to DHCPv6 server"
    antispoof for ovpnc1
    
    # loopback
    pass in on $loopback inet all label "pass IPv4 loopback"
    pass out on $loopback inet all label "pass IPv4 loopback"
    pass in on $loopback inet6 all label "pass IPv6 loopback"
    pass out on $loopback inet6 all label "pass IPv6 loopback"
    # let out anything from the firewall host itself and decrypted IPsec traffic
    pass out inet all keep state allow-opts label "let out anything IPv4 from firewall host itself"
    pass out inet6 all keep state allow-opts label "let out anything IPv6 from firewall host itself"
    pass out route-to ( alc0 192.168.5.1 ) from 192.168.5.3 to !192.168.5.0/24 keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to ( ovpnc1 10.0.0.5 ) from 10.0.0.6 to !10.0.0.6/32 keep state allow-opts label "let out anything from firewall host itself"
    # make sure the user cannot lock himself out of the webConfigurator or SSH
    pass in quick on fxp0 proto tcp from any to (fxp0) port { 443 80 22 } keep state label "anti-lockout rule"
    
    # User-defined rules follow
    
    anchor "userrules/*"
    pass  in  quick  on $LAN inet from 192.168.1.0/24 to any keep state  label "USER_RULE: Default allow LAN to any rule"
    # at the break! label "USER_RULE: Default allow LAN IPv6 to any rule"
    pass  in  quick  on $LAN inet from 192.168.1.0/24  to <negate_networks>keep state  label "NEGATE_ROUTE: Negate policy routing for destination"
    pass  in  quick  on $LAN  $GWVPNGatewaw inet from 192.168.1.0/24 to any keep state  label "USER_RULE: LAN to Internet force through VPN"
    pass  in  quick  on $LAN inet proto { tcp udp }  from any to any keep state  label "USER_RULE: lan to any"
    pass  in  quick  on $LAN inet proto tcp  from any to any flags S/SA keep state  label "USER_RULE: lan to vpn"
    pass  in  quick  on $VPNINTERFACE reply-to ( ovpnc1 10.0.0.5 )  proto { tcp udp }  from any to 192.168.1.3 port 5060 keep state  label "USER_RULE: NAT Signal"
    pass  in  quick  on $VPNINTERFACE reply-to ( ovpnc1 10.0.0.5 )  proto { tcp udp }  from any to 192.168.1.3 port 5060 keep state  label "USER_RULE: NAT RTP"
    
    # VPN Rules
    
    anchor "tftp-proxy/*"</negate_networks></bogonsv6></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></negate_networks></bogonsv6></bogons></virusprot></snort2c></webconfiguratorlockout></sshlockout> 
    

    if i run Diagnostics=>packet capture on VPN interface i see:

    10.0.0.1.5060 > 10.0.0.6.5060: UDP, length 725
    


  • I don't have an answer. I have the same problem. I opened the ports on the VPN server, but they still appear closed on the client side.  I don't know what I'm doing wrong.

    If you figure it out, please post what you did to fix it.



  • I had the exacy same problem for quite some time, and it's still not quite clear to me why it doesn't work, but this is what I found:

    The port forwarding itself work just fine, the problem is when you combine this with policy routing in such a way that you need a policy route to "activate" to route the traffic out through the correct interface. Since the incoming, port-forwarded packets are placed in the state table, and thus when the computer on the inside replies to that packet, the reply is automatically accepted via the state table. Because of this, the policy routing rule is never evaluated, and thus the packet defaults to the default routing table - usually ending up exiting through your WAN, not the VPN tunnel. Since these addresses are normally in a private range, the packet will just die alone in the cold in some router out there on the internet.

    In pfSense 2.1 they have made some fix to this that auto creates a "reply-to" rule when you create an incoming NAT/port forwarding. This works, and you can find it in rules.debug, but for some reason it doesn't seem to be executed correctly in all cases (not in my case atleast). What I did to correct the issue, was to make a floating rule, placed on top or near the top of the floating rules, that basicly exactly matches the auto-created interface firewall rule that the NAT/Port Forwarding rule generates. The only visible difference for me, is that this rule ends up much higher up in the rules.debug ruleset, but it makes all the difference - and suddently the portforwarding from a openVPN tunnel works perfectly.


Log in to reply