Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Port forwarding to pfsense openvpn client

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 3 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      marios
      last edited by

      Hi guys
      My pfsense act as a openvpn client. I have another server elsewhere which is my openvpn server.
      My problem is with port forwarding from that server to internal network behind pfsense.

      port 5060from OVPN SERVER 10.0.0.1 => OVPN Client (pfsense) 10.0.0.6 => Lan client (192.168.1.3)

      I can ping the server from any LAN  PC/device, also the server can ping the psfsense openvpn client.
      I have all the correct rules in windows firewall on my vpn server, so I have a feeling that I am missing some rule on my pfsense so it can forward port connection to LAN PC.

      Hope you can help.

      Windows server firewall log:

      
2013-10-04 23:43:40 ALLOW UDP 10.0.0.1 10.0.0.6 5060 5060 0 - - - - - - - SEND

      Port Forward:

      Rule:

      /tmp/rules.debug

      
set limit tables 3000
set optimization normal
set timeout { adaptive.start 0, adaptive.end 0 }
set limit states 330000
set limit src-nodes 330000

#System aliases

loopback = "{ lo0 }"
WAN = "{ alc0 }"
LAN = "{ fxp0 }"
VPNINTERFACE = "{ ovpnc1 }"
OpenVPN = "{ openvpn }"

#SSH Lockout Table
table <sshlockout>persist
table <webconfiguratorlockout>persist
#Snort tables
table <snort2c>table <virusprot>table <bogons>persist file "/etc/bogons"
table <bogonsv6>persist file "/etc/bogonsv6"
table <negate_networks># User Aliases 

# Gateways
GWVPNGatewaw = " route-to ( ovpnc1 10.0.0.5 ) "
GWWAN_DHCP = " route-to ( alc0 192.168.5.1 ) "
GWVPNINTERFACE_VPNV6 = " route-to ( ovpnc1 10.0.0.5 ) "

set loginterface fxp0

set skip on pfsync0

scrub on $WAN all    fragment reassemble
scrub on $LAN all    fragment reassemble
scrub on $VPNINTERFACE all    fragment reassemble

no nat proto carp
no rdr proto carp
nat-anchor "natearly/*"
nat-anchor "natrules/*"

# Outbound NAT rules
nat on $WAN  from 192.168.1.0/24 to any port 500 -> 192.168.5.3/32  static-port
nat on $WAN  from 192.168.1.0/24 to any -> 192.168.5.3/32 port 1024:65535  
nat on $WAN  from 127.0.0.0/8 to any -> 192.168.5.3/32 port 1024:65535  
nat on $VPNINTERFACE  from 192.168.1.0/24 to any port 500 -> 10.0.0.6/32  static-port
nat on $VPNINTERFACE  from 192.168.1.0/24 to any -> 10.0.0.6/32 port 1024:65535  
nat on $VPNINTERFACE  from 127.0.0.0/8 to any -> 10.0.0.6/32 port 1024:65535  

# Load balancing anchor
rdr-anchor "relayd/*"
# TFTP proxy
rdr-anchor "tftp-proxy/*"
# NAT Inbound Redirects
rdr on ovpnc1 proto { tcp udp } from any to 10.0.0.6 port 5060 -> 192.168.1.3
rdr on ovpnc1 proto { tcp udp } from any to 10.0.0.6 port 5060 -> 192.168.1.3
# UPnPd rdr anchor
rdr-anchor "miniupnpd"

anchor "relayd/*"
anchor "openvpn/*"
anchor "ipsec/*"
#---------------------------------------------------------------------------
# default deny rules
#---------------------------------------------------------------------------
block in log inet all label "Default deny rule IPv4"
block out log inet all label "Default deny rule IPv4"
block in log inet6 all label "Default deny rule IPv6"
block out log inet6 all label "Default deny rule IPv6"

# IPv6 ICMP is not auxilary, it is required for operation
# See man icmp6(4)
# 1    unreach         Destination unreachable
# 2    toobig          Packet too big
# 128  echoreq         Echo service request
# 129  echorep         Echo service reply
# 133  routersol       Router solicitation
# 134  routeradv       Router advertisement
# 135  neighbrsol      Neighbor solicitation
# 136  neighbradv      Neighbor advertisement
pass quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} keep state

# Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep)
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} keep state

# We use the mighty pf, we cannot be fooled.
block quick inet proto { tcp, udp } from any port = 0 to any
block quick inet proto { tcp, udp } from any to any port = 0
block quick inet6 proto { tcp, udp } from any port = 0 to any
block quick inet6 proto { tcp, udp } from any to any port = 0

# Snort package
block quick from <snort2c>to any label "Block snort2c hosts"
block quick from any to <snort2c>label "Block snort2c hosts"

# SSH lockout
block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"

# webConfigurator lockout
block in log quick proto tcp from <webconfiguratorlockout>to any port 443 label "webConfiguratorlockout"
block in quick from <virusprot>to any label "virusprot overload table"
# block bogon networks
# http://www.cymru.com/Documents/bogon-bn-nonagg.txt
# http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt
block in log quick on $WAN from <bogons>to any label "block bogon IPv4 networks from WAN"
block in log quick on $WAN from <bogonsv6>to any label "block bogon IPv6 networks from WAN"
antispoof for alc0
# block anything from private networks on interfaces with the option set
antispoof for $WAN
block in log quick on $WAN from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8"
block in log quick on $WAN from 127.0.0.0/8 to any label "Block private networks from WAN block 127/8"
block in log quick on $WAN from 100.64.0.0/10 to any label "Block private networks from WAN block 100.64/10"
block in log quick on $WAN from 172.16.0.0/12 to any label "Block private networks from WAN block 172.16/12"
block in log quick on $WAN from 192.168.0.0/16 to any label "Block private networks from WAN block 192.168/16"
block in log quick on $WAN from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7"
# allow our DHCP client out to the WAN
pass in on $WAN proto udp from any port = 67 to any port = 68 label "allow dhcp client out WAN"
pass out on $WAN proto udp from any port = 68 to any port = 67 label "allow dhcp client out WAN"
# Not installing DHCP server firewall rules for WAN which is configured for DHCP.
antispoof for fxp0
# allow access to DHCP server on LAN
pass in quick on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
pass in quick on $LAN proto udp from any port = 68 to 192.168.1.1 port = 67 label "allow access to DHCP server"
pass out quick on $LAN proto udp from 192.168.1.1 port = 67 to any port = 68 label "allow access to DHCP server"
# allow access to DHCPv6 server on LAN
# We need inet6 icmp for stateless autoconfig and dhcpv6
pass quick on $LAN inet6 proto udp from fe80::/10 to fe80::/10 port = 546 label "allow access to DHCPv6 server"
pass quick on $LAN inet6 proto udp from fe80::/10 to ff02::/16 port = 546 label "allow access to DHCPv6 server"
pass quick on $LAN inet6 proto udp from fe80::/10 to ff02::/16 port = 547 label "allow access to DHCPv6 server"
pass quick on $LAN inet6 proto udp from ff02::/16 to fe80::/10 port = 547 label "allow access to DHCPv6 server"
antispoof for ovpnc1

# loopback
pass in on $loopback inet all label "pass IPv4 loopback"
pass out on $loopback inet all label "pass IPv4 loopback"
pass in on $loopback inet6 all label "pass IPv6 loopback"
pass out on $loopback inet6 all label "pass IPv6 loopback"
# let out anything from the firewall host itself and decrypted IPsec traffic
pass out inet all keep state allow-opts label "let out anything IPv4 from firewall host itself"
pass out inet6 all keep state allow-opts label "let out anything IPv6 from firewall host itself"
pass out route-to ( alc0 192.168.5.1 ) from 192.168.5.3 to !192.168.5.0/24 keep state allow-opts label "let out anything from firewall host itself"
pass out route-to ( ovpnc1 10.0.0.5 ) from 10.0.0.6 to !10.0.0.6/32 keep state allow-opts label "let out anything from firewall host itself"
# make sure the user cannot lock himself out of the webConfigurator or SSH
pass in quick on fxp0 proto tcp from any to (fxp0) port { 443 80 22 } keep state label "anti-lockout rule"

# User-defined rules follow

anchor "userrules/*"
pass  in  quick  on $LAN inet from 192.168.1.0/24 to any keep state  label "USER_RULE: Default allow LAN to any rule"
# at the break! label "USER_RULE: Default allow LAN IPv6 to any rule"
pass  in  quick  on $LAN inet from 192.168.1.0/24  to <negate_networks>keep state  label "NEGATE_ROUTE: Negate policy routing for destination"
pass  in  quick  on $LAN  $GWVPNGatewaw inet from 192.168.1.0/24 to any keep state  label "USER_RULE: LAN to Internet force through VPN"
pass  in  quick  on $LAN inet proto { tcp udp }  from any to any keep state  label "USER_RULE: lan to any"
pass  in  quick  on $LAN inet proto tcp  from any to any flags S/SA keep state  label "USER_RULE: lan to vpn"
pass  in  quick  on $VPNINTERFACE reply-to ( ovpnc1 10.0.0.5 )  proto { tcp udp }  from any to 192.168.1.3 port 5060 keep state  label "USER_RULE: NAT Signal"
pass  in  quick  on $VPNINTERFACE reply-to ( ovpnc1 10.0.0.5 )  proto { tcp udp }  from any to 192.168.1.3 port 5060 keep state  label "USER_RULE: NAT RTP"

# VPN Rules

anchor "tftp-proxy/*"</negate_networks></bogonsv6></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></negate_networks></bogonsv6></bogons></virusprot></snort2c></webconfiguratorlockout></sshlockout>

      if i run Diagnostics=>packet capture on VPN interface i see:

      10.0.0.1.5060 > 10.0.0.6.5060: UDP, length 725
      1 Reply Last reply Reply Quote 0
      • D
        dalesd
        last edited by

        I don't have an answer. I have the same problem. I opened the ports on the VPN server, but they still appear closed on the client side.  I don't know what I'm doing wrong.

        If you figure it out, please post what you did to fix it.

        1 Reply Last reply Reply Quote 0
        • N
          Nadar
          last edited by

          I had the exacy same problem for quite some time, and it's still not quite clear to me why it doesn't work, but this is what I found:

          The port forwarding itself work just fine, the problem is when you combine this with policy routing in such a way that you need a policy route to "activate" to route the traffic out through the correct interface. Since the incoming, port-forwarded packets are placed in the state table, and thus when the computer on the inside replies to that packet, the reply is automatically accepted via the state table. Because of this, the policy routing rule is never evaluated, and thus the packet defaults to the default routing table - usually ending up exiting through your WAN, not the VPN tunnel. Since these addresses are normally in a private range, the packet will just die alone in the cold in some router out there on the internet.

          In pfSense 2.1 they have made some fix to this that auto creates a "reply-to" rule when you create an incoming NAT/port forwarding. This works, and you can find it in rules.debug, but for some reason it doesn't seem to be executed correctly in all cases (not in my case atleast). What I did to correct the issue, was to make a floating rule, placed on top or near the top of the floating rules, that basicly exactly matches the auto-created interface firewall rule that the NAT/Port Forwarding rule generates. The only visible difference for me, is that this rule ends up much higher up in the rules.debug ruleset, but it makes all the difference - and suddently the portforwarding from a openVPN tunnel works perfectly.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.