[Solved!] NAT port to machine behind VPN client connection



  • Hi everyone,

    I'm having a problem opening a port for Transmission, and I'm looking for your help to get it sorted.
    My setup is as follows:

    • running pfSense 2.1

    • interfaces: WAN, VPNME, LAN, SECURELAN

    • NAS running Transmission on port 51413 has 2 IP's: 192.168.13.6 (on LAN) and 192.168.14.2 (on SECURELAN)

    • SECURELAN is an interface assigned to an OpenVPN client connection (VPNME)

    • Transmission is bound to IPv4 address 192.168.14.2 to send all traffic over the VPN

    Every device that is connected to the SECURELAN interface will route it's wan traffic over the VPNME client connection.
    All other devices route their wan traffic over the WAN connection.

    I have configured a NAT port forward on the VPNME interface to forward all incoming traffic on port 51413 with a destination address in the VPNME subnet to IP 192.168.14.2 (SECURELAN) port 51413.

    This automatically created a firewall rule on the VPNME tab to pass traffic destined for the IP 192.168.14.2 on port 51413.

    I have the following rules in place on the SECURELAN tab:

    This basically says that traffic from SECURELAN to LAN is allowed and that all other traffic should be routed over the VPNME gateway.

    I have the following gateways in place:

    The interfaces don't show any errors and Transmission works fine downloading & uploading.

    However, Transmission still shows the port as "closed":

    So I must be doing something wrong here, but I cannot for the life of me figure out what that might be.
    Can anyone set me in the right direction?



  • I got it solved  :)

    For anyone else in this situation: the port forwarding must be done by the VPN server as well as by pfSense.
    I was missing the part about the VPN server needing to forward the ports also.

    My tunnel was configured to use NAT instead of a direct connection, and it was not forwarding any ports.
    Once I changed this to use a direct connection and forward port 51413 through the tunnel, the problem was solved  :).


Log in to reply