Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] OpenVPN Site-to-Site Incoming Port Forward

    Scheduled Pinned Locked Moved OpenVPN
    13 Posts 4 Posters 3.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      meluvalli
      last edited by

      I am trying to port forward WAN from site-A to a client on Site-B and wondering if it is possible.  I already have on both sites the Interface assigned so they show up as gateways on the sites, but can't seem to figure out how to make this all work :(

      So, example would be…

      Site A:
          External IP: 60.50.40.30 & 60.50.40.31 & 60.50.40.32 (Have 3 External WAN IP Addresses)
          Internal IP: 10.40.163.XXX
          Tunnel Network: 192.168.2.0 (Currently setup as the Client VPN)

      Site B:
          External IP: 80.70.60.40
          Internal IP: 10.40.162.XXX
          Tunnel Network: 192.168.2.0 (Currently setup as the Server VPN)

      If you go to http://60.50.40.30 I want it to point to 10.40.162.10
      If you go to http://60.50.40.31 I want it to point to 10.40.162.11

      Is this possible?

      Thanks!

      1 Reply Last reply Reply Quote 0
      • D
        divsys
        last edited by

        Perhaps I'm missing something, but I don't see where OpenVPN comes into play at all.

        Can't you just go to to "Firewall->NAT-Port Forward" and setup the forwarding you need?

        -jfp

        1 Reply Last reply Reply Quote 0
        • M
          marvosa
          last edited by

          divsys, my thoughts exactly.  Requests for http://60.50.40.30 and http://60.50.40.31 are going to go over the internet.  Just set up a simple NAT.

          1 Reply Last reply Reply Quote 0
          • M
            meluvalli
            last edited by

            I tried this and it doesn't work for some reason.

            It won't open ports through the VPN…  I can only open ports to a client on the local side.  So in this case, only a client on 10.40.163.XXX side.

            If I put in a client on the VPN side (10.40.162.XXX), it fails.  So I figured there has to be something else that has to be done for this to work :(

            Also, if I look at Firewall Status, it shows it is blocking the following:

            If: WAN
            Source: 192.168.0.1
            Destination: 224.0.0.1
            Proto: IGMP

            Thank!

            1 Reply Last reply Reply Quote 0
            • D
              divsys
              last edited by

              I still think there's some basic confusion about what you're trying to accomplish here.

              Let me try a simple diagram of what I believe your setup looks like:

              10.40.163.x(LAN)->SiteA60.50.40.30\                          /80.70.60.40(WAN)SiteB 10.40.162.x
                                                        (WAN2)60.50.40.31 >    Internet    <                                  |
                                                        (WAN3)60.50.40.32/                        \                                  |
                                                    (Client VPN)192.168.2.0/24<–--------------->192.168.2.0/24(Server OVPN)

              Your initial question was:

              If you go to http://60.50.40.30 I want it to point to 10.40.162.10
              If you go to http://60.50.40.31 I want it to point to 10.40.162.11

              From this I presume you have two webservers (or equivalent) running on devices at 10.40.162.10 and 10.40.162.11 at Site A.

              To enable the forwarding on 60.50.40.30 (WAN1), you would typically go to "Firewall->NAT->PortForwarding", click on "+" to add a new rule and fill in:

              Interface->WAN1
              Protocol->TCP
              Destination->WAN address
              Destination port range from:->HTTP
              Destination port range to:->HTTP
              Redirect target IP->10.40.162.10
              Redirect target port->HTTP

              Click "Save" and the "Apply Changes".

              After you've done this, any traffic to port 80 (HTTP) at 60.50.40.30 will be redirected to port 80 on 10.40.162.10.  This will work for anyone trying from the internet, it doesn't depend on the VPN connection at all.

              The one possible exception would be if some other device on the SiteA LAN (say 10.40.162.75) were to try to reach WAN1.  Since that device is already inside the firewall the NAT translation will not work properly unless you enable the "NAT reflection" flag on the port forward rule.

              That's all that's typically required.

              Also, if I look at Firewall Status, it shows it is blocking the following:

              If: WAN
              Source: 192.168.0.1
              Destination: 224.0.0.1
              Proto: IGMP

              This has nothing to do with your port forward attempts and is likely caused by some other device(s) associated with your setup.  For know they can safely be ignored.

              If you're still having trouble, post a screen shot of your PortForward rule(s).

              -jfp

              1 Reply Last reply Reply Quote 0
              • M
                meluvalli
                last edited by

                You are close.  The only thing that looks off is you said I have two web servers at site A…  The problem is, they are actually at Site B.  Site A is 10.40.163.XXX...  Site B is 10.40.162.XXX.  So you have the correct IP addresses, just wrong Site name.

                Below is my NAT forwarding as you requested.  This screenshot is taken from SiteA's pfSense Box.  I have no problems opening ports for local side.  Meaning 60.50.40.30 (WAN) & Site A to 10.40.163.XX (Client at Site A).  The problem is, I want a WAN on Site A to point to a client at Site B.

                Thanks for your help!!!

                NAT.gif
                NAT.gif_thumb

                1 Reply Last reply Reply Quote 0
                • D
                  divsys
                  last edited by

                  Ah, I see what you're trying to accomplish now.  You're forwarding from outside one router back through the VPN conx into a box behind the 2nd router.

                  This is doable (though I haven't set it up myself).  I tracked down a previous thread that may be helpful.

                  Take a look at this one https://forum.pfsense.org/index.php?topic=57970.msg310044#msg310044

                  -jfp

                  1 Reply Last reply Reply Quote 0
                  • M
                    meluvalli
                    last edited by

                    Thanks for your help.  I have looked at that forum and still unable to get it working :(

                    I'm glad to hear it's doable, now if only I knew how :(

                    Thanks!

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      The target servers at site B will have to know to forward ALL traffic back through the VPN and not out their default gateway/WAN at Site B.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • M
                        meluvalli
                        last edited by

                        Ok.  That worked.  I set my default gateway for the client to use the VPN.  Now all internet on that client though goes through the VPN :(.

                        Is there anyway around this?  For example, I have an HTTP server on that machine.  So I have to do all port 80….  But I don't want all 80 traffic going through the VPN.

                        Is there a way to tell it only if the request is coming from the VPN to return back through the VPN?

                        Thanks!!!

                        1 Reply Last reply Reply Quote 0
                        • DerelictD
                          Derelict LAYER 8 Netgate
                          last edited by

                          That's going to be a trick since your web clients can be anywhere on the internet.

                          I was thinking you could create a gateway pointing at the VPN interface at the other end, then use a firewall rule on the interface the web servers are on to direct traffic sourced from port 80 through the VPN but I don't think that'll work because it won't be a SYN packet and the states are already being established.  Big brains feel free to chime in.

                          Maybe there's a way to mark the state on ingress and use the mark on egress to point the traffic in the right direction?  Just guessing here.

                          Why not put the web server at the other site?  Or use site B's internet since the traffic's going over it anyway?

                          Chattanooga, Tennessee, USA
                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                          1 Reply Last reply Reply Quote 0
                          • M
                            meluvalli
                            last edited by

                            Ok.  I will play around with it.  Either way, it works and I got it doing what I wanted to!  Thanks again for your help!

                            1 Reply Last reply Reply Quote 0
                            • DerelictD
                              Derelict LAYER 8 Netgate
                              last edited by

                              I just watched the recent gold hangout with jimp and this very topic was addressed.  I haven't done it and don't really understand it but there's a way to get reply-to working to put the return traffic back over the VPN and not out the default gateway.  The hangout is kind of a deep dive covering a lot so I'm not quite sure exactly what he's talking about…yet.

                              Chattanooga, Tennessee, USA
                              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                              Do Not Chat For Help! NO_WAN_EGRESS(TM)

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.