Port forwarding help needed from Wolf666
-
Wolf666 wrote
I have a a port forwarding problem, too.
My pfSense config is:
WAN: PPPoE (ADSL 10/1)
LAN: 192.168.1.0/24 ((with dedicated Gateway WAN, dedicated DNS)
VPN: 192.1368.2.0/24 (with dedicated Gateway AirVPN_WAN, dedicated DNS)Port forwardings are working fine for traffic redirected to LAN via WAN, I am not able to make the same redirecting to VPN clients via AIRVPN_WAN.
My VPN provider (AIRVPN) offers port forwarding (also a DDNS service), basically offering their public ip and port to redirecting traffic to AIRVPN servers internal address and then go via tunnel to my clients.
Now, I have this starting situation:
Connected to server: XYZ (AirVPN Server)
Mapped to public IP: xxx.xxx.xxx.xxx:1234 (AirVPN Pubblic IP)
Forwarded to: yyy.yyy.yyy.yyy: 5678 (AirVPN_WAN net) is the same port of my internal clientI am pretty new on pfSense mechanisms (I am reading the book also) but the clear net forwardings are working, so I assume I have understood the basic pfSense mechanism.
In the past, using a Netgear Router (DD-WRT), port forwarding of VPN traffic was managed using iptables commands:
iptables -I FORWARD -i tun1 -p udp -d destIP –dport port -j ACCEPT
iptables -I FORWARD -i tun1 -p tcp -d destIP --dport port -j ACCEPT
iptables -t nat -I PREROUTING -i tun1 -p tcp --dport port -j DNAT --to-destination destIP
iptables -t nat -I PREROUTING -i tun1 -p udp --dport port -j DNAT --to-destination destIPNow my proposed port forwarding set up should be:
Disabled = [] (unchecked)
No RDR (NOT) = [] (unchecked)
Interface = [ AirVPN_WAN ▼]
Protocol = [ TCP/UDP ▼] (TCP, UDP or TCP/UDP depending on uses)
Source = [] not (unchecked)
Type: [ any ▼]
Address: []/[ 31 ▼](Blank/Greyed out)
Source port Range = from: [ Any ▼]
to: [ Any ▼]
Destination = [] Not (UNCHECKED)
Type: [ AirVPN_WAN address ▼]
Address: [_]/[ 31 ▼](Blank/Greyed out)
Destination port Range = from: [ (other) ▼] [ NOTE *1]
to: [ (other) ▼] [ NOTE *2 ]
*1: Port, first port of a range or Alias of ports forwarded at AirVPN.org –->5678 in my example above)
*2: Same port as above or ending port of a range forwarded at AirVPN.org
Redirect target IP = [ NOTE *3 ]
*3: IP of target pc/device.
Redirect target port = [ (other) ▼] [ NOTE *4 ]
*4: Same port as “Destination port Range = from:” as entered above (Note 1)
Description = [✎ WHATEVER ]
No XMLRPC Sync = [] (unchecked)
NAT reflection = [ Use system default ▼]
Filter rule association = [ Create new associated rule ▼]I also modified the Firewall rule in order not to use the default GW (WAN) but only the AirVPN_WAN GW.
Well…it is not working.
Any idea?
-
So what is the topology?
Did you create an OpenVPN client connection to AIRVPN?
Do you want to listen for inbound connections on that AIRVPN interface and port-forward those connections to a server on LAN?
You might have to provide a detailed diagram.
-
Here my home network (pfSense 2.2Beta, 15OCT, based on Supermicro A1SRi-2558, 8GBRAM, 4xI354 NIC):
All clients connected to VPN interface (192.168.2.0/24 subnet) succesfully connect to AirVPN.
Yes I would like to listen for incoming connection on AIRVPN interface and port forward to LAN (192.168.2.0/24 subnet).
VPN Client runs with the custom option: route-nopull.
For your information, I have working port forwardings redirecting WAN to the clear net interface (192.168.1.0/24 subnet, as showed in my diagram).
Thanks
PS
It seems some other airvpn users are having the same problem: https://forum.pfsense.org/index.php?topic=82937.0 -
So let me upload a diagram and see if I understand the problem.
Ignore pfSense B and C.
You want:
pfSense A to establish a client connection to AIRVPN.
Create a port forward for incoming connections on pfSense A's AIRVPN address:5678 forwarded to host A2:5678
Is this correct?
-
You want:
pfSense A to establish a client connection to AIRVPN.
Create a port forward for incoming connections on pfSense A's AIRVPN address:5678 forwarded to host A2:5678
Is this correct?
pfSense already establishes a client connection to AIRVPN servers, it works flawlessly, host A2 accesses internet via AIRVPN.
Now a need to allow incoming connections on pfSense A's AIRVPN address:5678 forwarded to host A2:5678
-
This is going to take me some time (probably days) to actually mock up.
Two things I would check:
You assigned an interface to the AIRVPN ovpncx instance
Rules on OpenVPN tab don't match traffic in question.pfSense 2.1 book section: “NAT with OpenVPN Connections”
Excerpt From: Jim Pingle. “pfSense-2.1-book.epub.” iBooks. https://itunes.apple.com/WebObjects/MZStore.woa/wa/viewBook?id=3AC70C08837752AA49E641D5CEB871FE
-
Rules on OpenVPN tab don't match traffic in question.
I have no rules on OpenVPN tab. The only rules are on AIRVPN_WAN tab and VPN tab (VPN is the name of the former interface OPT1) and the others related to WAN and LAN (at this stage DMZ interface, former OPT2, is off) to allow clear-internet and client subnet communication.
I followed these steps (brilliantly explained in https://airvpn.org/topic/11245-how-to-set-up-pfsense-21-for-airvpn/ ) :
1 - I assigned the interface AIRVPN_WAN to ovpnc()
2 - Created Gateway:Interface = [AirVPN_WAN ▼]
Address Family = [IPv4 ▼]
Name = [✎ AirVPN_WAN]
Gateway = [dynamic]
Default Gateway = [] (UNCHECKED)
Disable Gateway Monitoring = []
Monitor IP = [10.4.0.1]
Advanced = Unchanged
Description = [✎ AirVPN_WAN Gateway]3 - Created Outbound Nat in order to route all traffic initiated in interface VPN (subnet 192.168.2.0/24) to use gateway AIRVPN_WAN
D
(unchecked)
Interface = [ AirVPN_WAN ▼]
Protocol = [ Any ▼]
Source = Type: [ Network ▼]
Address: [ 192.168.2.0 ] / [ 24 ▼]
Source port: [_____] (empty/blank)
Destination: Type = [ Any ▼]
Translation: Address = [ Interface Address ]
Description = [ AirVPN_LAN -> AirVPN_WAN ]4 - Created some firewall rules to avoid DNS Leak and pass VPN LAN traffic.
Action = [ Block ▼]
Disabled = [] Disable this rule (UNCHECKED)
Interface = [VPN ▼]
TCP/IP Version = [IPv4 ▼]
Protocol = [TCP/UDP ▼]
Source = [] Not (UNCHECKED)
Type: [ Any ▼]
Address: [______] (BLANK)
Destination = [] Not (CHECKED)
Type: [ Single host or alias ▼]
Address: [10.4.0.1]
Destination port range = From: [ DNS ▼]
To: [ DNS ▼]
Log = [] (CHECKED)
Description = [✎ BLOCK_DNS_LEAKS_VPN]
[ADVANCED FEATURES] > GATEWAY = [ AirVPN_WAN ▼]–-------------------------------------------------------------------------------------------
Action = [ Pass ▼]
Disabled = [] Disable this rule (UNCHECKED)
Interface = [VPN ▼]
TCP/IP Version = [IPv4 ▼]
Protocol = [Any ▼]
Source = [] Not (UNCHECKED)
Type: [ VPN Subnet ▼]
Address: [] (BLANK)
Destination = [] Not (UNCHECKED)
Type: [ Any ▼]
Address: [] (BLANK)
Log = [] (UNCHECKED)
Description = [✎ Allow AirVPN_LAN Outbound]
[ADVANCED FEATURES] > GATEWAY = [ AirVPN_WAN ▼]I am a Gold Member, I am already reading the pfSense Book. Please take in consideration I am being using pfSense for 10 days….I have built my own appliance. I am an hobbyist with some skills (I came from several years of openWRT / DD-WRT routers) but totally new on pfSense.
Thank you very much for your time, I will continue to make my tests and read logs.
-
What are your rules on the AIRVPN_WAN interface?
What are your rules on the OpenVPN Tab?
-
What are your rules on the AIRVPN_WAN interface?
What are your rules on the OpenVPN Tab?
Since I cancelled the Port forwardings rules, for both:
"No rules are currently defined for this interface
All incoming connections on this interface will be blocked until you add pass rules."Now I setup the port forwarding and I report back in minutes
-
Port Forward
AIRVPN_WAN TCP * * AIRVPN_WAN address 9091 192.168.2.10 9091
Firewall (AIRVPN_WAN Tab):
IPv4 TCP * * 192.168.2.10 9091 AIRVPN_WAN none
Firewall (OpenVPN Tab):
No rules are currently defined for this interface
All incoming connections on this interface will be blocked until you add pass rules.For info the port forwarding:
WAN TCP * * WAN address 21000 192.168.1.6 11678With firewall rule on WAN tab:
IPv4 TCP * * 192.168.1.6 11678 * noneWorks.
The default gateway is WAN (*)
-
Firewall (AIRVPN_WAN Tab):
IPv4 TCP * * 192.168.2.10 9091 AIRVPN_WAN none
Try getting rid of that gateway and setting the rule to default. That's wrong. That says that traffic received by pfSense in interface AIRVPN_WAN (from AIRVPN) should use AIRVPN_WAN as the gateway.
-
Firewall (AIRVPN_WAN Tab):
IPv4 TCP * * 192.168.2.10 9091 AIRVPN_WAN none
Try getting rid of that gateway and setting the rule to default. That's wrong. That says that traffic received by pfSense in interface AIRVPN_WAN (from AIRVPN) should use AIRVPN_WAN as the gateway.
OK modification done
IPv4 TCP/UDP * * 192.168.2.10 9091 * none
Looking at Firewall log:
PASS - Oct 16 20:49:08 AIRVPN_WAN USER_RULE NAT Test Trasm (1413477300) 95.211.138.143:36454 192.168.2.10:9091 TCP:S
PASS - Oct 16 20:48:55 AIRVPN_WAN USER_RULE NAT Test Trasm (1413477300) 95.211.138.143:50755 192.168.2.10:9091 UDP
BLOCK - Oct 16 20:50:41 VPN Default deny rule IPv4 (1000000101) 192.168.2.10:9091 95.211.138.143:36454 TCP:SA
BLOCK - Oct 16 20:49:53 Direction=OUT WAN Default deny rule IPv4 (1000000102) 192.168.2.10:9091 95.211.138.143:36454 TCP:SA
So the Port forwarding rule is correctly applied but the acknowledgement is blocked.
TCP:SA is blocked because of the following:
Outbound NAT
PASS AIRVPN_WAN 192.168.2.0/24 * * * AIRVPN_WAN address *
Firewall Rule (VPN Tab)
BLOCK IPv4 TCP/UDP * * ! 10.4.0.1 53 (DNS) AIRVPN_WAN_GW none
PASS IPv4 TCP/UDP VPN net * * * AIRVPN_WAN_GW noneBasically I created my Home Lan in order to allow clients connected to VPN interface to go through AIRVPN Tunnel always, using AIRVPN DNS only.
I thought TCP:SA was routed via established tunnel as well, automatically.
-
The times on that log snippet don't make a lot of sense.
PASS - Oct 16 20:49:08 AIRVPN_WAN USER_RULE NAT Test Trasm (1413477300) 95.211.138.143:36454 192.168.2.10:9091 TCP:S
PASS - Oct 16 20:48:55 AIRVPN_WAN USER_RULE NAT Test Trasm (1413477300) 95.211.138.143:50755 192.168.2.10:9091 UDP
BLOCK - Oct 16 20:50:41 VPN Default deny rule IPv4 (1000000101) 192.168.2.10:9091 95.211.138.143:36454 TCP:SA
BLOCK - Oct 16 20:49:53 Direction=OUT WAN Default deny rule IPv4 (1000000102) 192.168.2.10:9091 95.211.138.143:36454 TCP:SA
There's like minutes between the S and SA in that log snippet.
If you look at Diagnostics->States and filter on 192.168.2.10 or maybe 9091, what states are there when the VPN client is trying to connect inbound on 9091?
-
Here the states:
AIRVPN_WAN udp 192.168.2.10:9091 (10.4.102.214:9091) <- 95.211.138.143:47494 NO_TRAFFIC:SINGLE
VPN udp 95.211.138.143:47494 -> 192.168.2.10:9091 SINGLE:NO_TRAFFIC
-
I'm confused now. Is this TCP or UDP traffic you're trying to forward. When you tried it that time were there any firewall log hits?
-
I'm confused now. Is this TCP or UDP traffic you're trying to forward. When you tried it that time were there any firewall log hits?
Sorry it was midnight in Italy …. and I made some confusion. My goal is to forward both TCP/UDP as suggested by AirVPN. I did that in the past with iptables.
Back to the problem
Settings:
PF
AIRVPN_WAN TCP/UDP * * AIRVPN_WAN address 9091 192.168.2.10 9091
Firewall (AIRVPN_WAN Tab):
IPv4 TCP/UDP * * 192.168.2.10 9091 AIRVPN_WAN none
Firewall LOG
PASS - Oct 16 20:49:08 AIRVPN_WAN USER_RULE NAT Test Trasm (1413477300) 95.211.138.143:36454 192.168.2.10:9091 TCP:S
PASS - Oct 16 20:48:55 AIRVPN_WAN USER_RULE NAT Test Trasm (1413477300) 95.211.138.143:50755 192.168.2.10:9091 UDP
BLOCK - Oct 16 20:50:41 VPN Default deny rule IPv4 (1000000101) 192.168.2.10:9091 95.211.138.143:36454 TCP:SA
BLOCK - Oct 16 20:49:53 Direction=OUT WAN Default deny rule IPv4 (1000000102) 192.168.2.10:9091 95.211.138.143:36454 TCP:SA
State
AIRVPN_WAN udp 192.168.2.10:9091 (10.4.102.214:9091) <- 95.211.138.143:47494 NO_TRAFFIC:SINGLE
VPN udp 95.211.138.143:47494 -> 192.168.2.10:9091 SINGLE:NO_TRAFFIC
-
Can be releted to that bug: https://redmine.pfsense.org/issues/3760 ?
I am using 2.2Beta (16OCT)
-
I had no idea This was 2.2. Sorry. Can't help with that. there's a 2.2 feedback and problems thread for 2.2 feedback. I don't know if it's a problem or if there's something misconfigured but I'm staying away from 2.2 no time.
-
I had no idea This was 2.2. Sorry. Can't help with that. there's a 2.2 feedback and problems thread for 2.2 feedback. I don't know if it's a problem or if there's something misconfigured but I'm staying away from 2.2 no time.
Thank you for your time.
-
If you refer to the document in https://forum.pfsense.org/index.php?topic=82944.msg454035#msg454035 I created a connection to VPNBOOK on pfSense A and successfully made Host B1 egress to the internet via OpenVPN to pfSense A then out the VPNBOOK connection. Everything "just worked" as expected.
Unfortunately, I can't build your specific config because I don't have a VPN provider that will give me a port forward. I have asked airvpn for a trial account.