Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Query about the pfSense firewall and OpenVPN

    Scheduled Pinned Locked Moved OpenVPN
    14 Posts 4 Posters 11.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      leimrod
      last edited by

      Ok

      I've got a working connection between a remote PC and the pfSense box in the office usig OpenVPN. From this remote PC I can access the offices network share and ping the IP's in the office.

      We also use virtual soft phones in the office that connect to a PCX to make calls out over our phone lines, but when I install the virtual phone software on the remote PC and try to connect it can't authenticate.

      I've been debugging this issue for a few days thinking it was a problem with the phone software but today I tried just disabling the firewall within pfSense (i.e. at System>Advanced functions>Traffic Shaper and Firewall Advanced>Disable Firewall) and it works. I can connect and authenticate fine and make calls out via the office phone system from a remote location.

      My question is how is the firewall blocking this traffic? and is it possible to Port Forward some ports to be used by OpenVPN?

      1 Reply Last reply Reply Quote 0
      • L
        leimrod
        last edited by

        anybody? Is there any way to open up ports to be used by a OpenVPN?

        1 Reply Last reply Reply Quote 0
        • G
          gmckinney
          last edited by

          Take a look at the firewall log to see what is being blocked - that may give you a clue as to what needs to be allowed through the firewall for the SIP phone to work.

          As for the actual rule for this I do not know as I do not have a SIP phone setup on my system to test it.

          gm…

          1 Reply Last reply Reply Quote 0
          • L
            leimrod
            last edited by

            @gmckinney:

            Take a look at the firewall log to see what is being blocked - that may give you a clue as to what needs to be allowed through the firewall for the SIP phone to work.

            As for the actual rule for this I do not know as I do not have a SIP phone setup on my system to test it.

            gm…

            but what i'm asking is does pfSense have the ability to open up ports to be used by OpenVPN? If I find the ports that are being blocked, will adding in port forwarding rules in the firewall work for OpenVPN?

            1 Reply Last reply Reply Quote 0
            • L
              leimrod
              last edited by

              Does nobody know if pfSense NAT and firewall rules affect the OpenVPN connection?

              1 Reply Last reply Reply Quote 0
              • GruensFroeschliG
                GruensFroeschli
                last edited by

                They dont.
                As of right now the OpenVPN connection on pfSense is wide open.
                Plans to add firewalling-capabilities of OpenVPN interfaces are in work.

                Also the OpenVPN is NOT being NATed as long as you dont create a Advanced outbound NAT rule that says this subnet should be NATed.
                –>
                http://forum.pfsense.org/index.php/topic,7001.0.html

                We do what we must, because we can.

                Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                1 Reply Last reply Reply Quote 0
                • L
                  leimrod
                  last edited by

                  @GruensFroeschli:

                  They dont.
                  As of right now the OpenVPN connection on pfSense is wide open.
                  Plans to add firewalling-capabilities of OpenVPN interfaces are in work.

                  Also the OpenVPN is NOT being NATed as long as you dont create a Advanced outbound NAT rule that says this subnet should be NATed.
                  –>
                  http://forum.pfsense.org/index.php/topic,7001.0.html

                  So this should mean that all the ports are open when the VPN connection is made? Then how is it i'm able to connect the phone software to our PBX when the firewall is disabled, but unable to connect when it is enabled?

                  I read that page you linked to in regard to VPN's, could you elaborate on one point. I'm currently using pfSense as a load balancer and have set OpenVPN to only use the WAN connection (not Opt1)

                  @GruensFroeschli:

                  you need to have a rule above your default rule (which has as gateway the loadbalancer)
                  with desination your VPN-subnet and as gateway the default gateway (displayed as *) NOT the loadbalancer.

                  Where exactly do I need to place this rule? Could you give me an example of what it should look like?

                  1 Reply Last reply Reply Quote 0
                  • GruensFroeschliG
                    GruensFroeschli
                    last edited by

                    Place: at the top above every other rule
                    Source: subnet-of-interface (LAN?) or any
                    Destination: OpenVPN-subnet
                    Gateway: * (<– not the loadbalancer)

                    This rule ensures that traffic destined to the OpenVPN subnet gets not handled by the balancer.
                    This is because the balancer does not "know" how to reach the openVPN subnet.

                    We do what we must, because we can.

                    Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                    1 Reply Last reply Reply Quote 0
                    • L
                      leimrod
                      last edited by

                      @GruensFroeschli:

                      Place: at the top above every other rule

                      What do you mean by "Place: at the top above every other rule"? I have rules in the NAT section, in the firewall rules section for LAN and WAN and I also have "advanced outbound NAT" rules for load balancing. Which section should I implement this rule in?

                      1 Reply Last reply Reply Quote 0
                      • GruensFroeschliG
                        GruensFroeschli
                        last edited by

                        Under Firewall
                        The loadbalancer right now is a kind of policy routing.
                        –> You specify which gateway should be used.
                        The Loadbalancer is just a "special" kind of gateway.

                        This would be the same as if you had a "all Traffic from LAN goes always out OPT1" rule.
                        You then need another rule above that says "but traffic destined for openVPN subnet should use the default Gateway* "

                        Is has to be above because
                        @http://forum.pfsense.org/index.php/topic:

                        Rules are processed from top to down.
                        If a rule catches the rest of the rules is no longer considered.
                        Per default a "block all" rule is always in place (invisible below your own rules).

                        We do what we must, because we can.

                        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                        1 Reply Last reply Reply Quote 0
                        • L
                          leimrod
                          last edited by

                          @GruensFroeschli:

                          Under Firewall

                          ok, but where under firewall? Do I implement this rule in firewall>Rules>LAN or firewall>Rules>WAN?

                          1 Reply Last reply Reply Quote 0
                          • GruensFroeschliG
                            GruensFroeschli
                            last edited by

                            Did you really read the first link i posted?

                            @http://forum.pfsense.org/index.php/topic:

                            Traffic is filtered on the Interface on which traffic comes in.
                            So traffic comming in on the LAN-Interface will only be processed from the rules you define on the LAN tab.

                            It depends on where your server is.

                            We do what we must, because we can.

                            Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                            1 Reply Last reply Reply Quote 0
                            • L
                              leimrod
                              last edited by

                              GruensFroeschli, I have to give you a big thanks. Your help has pretty much solved the issue I was trying to fix for nearly 3 weeks now. I wasn't sure if the problem was being caused by the phone software or pfSense.

                              After implementing this rule at the top of the LAN settings pointing all LAN traffic at the the subnet I assigned for the VPN I can now connect through with no issues.

                              btw, you should add your solution to the wiki on setting up OpenVPN, it really is a step that shouldn't be left out.

                              thanks again for the time and advice.

                              1 Reply Last reply Reply Quote 0
                              • C
                                chazers18
                                last edited by

                                Gruens that is what i would have told him too. ;D

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.