Port forwarding help needed from Wolf666



  • Wolf666 wrote

    I have a a port forwarding problem, too.

    My pfSense config is:

    WAN: PPPoE (ADSL 10/1)
    LAN: 192.168.1.0/24  ((with dedicated Gateway WAN, dedicated DNS)
    VPN: 192.1368.2.0/24 (with dedicated Gateway AirVPN_WAN, dedicated DNS)

    Port forwardings are working fine for traffic redirected to LAN via WAN, I am not able to make the same redirecting to VPN clients via AIRVPN_WAN.

    My VPN provider (AIRVPN) offers port forwarding (also a DDNS service), basically offering their public ip and port to redirecting traffic to AIRVPN servers internal address and then go via tunnel to my clients.

    Now, I have this starting situation:

    Connected to server:  XYZ (AirVPN Server)
    Mapped to public IP: xxx.xxx.xxx.xxx:1234 (AirVPN Pubblic IP)
    Forwarded to: yyy.yyy.yyy.yyy: 5678 (AirVPN_WAN net) is the same port of my internal client

    I am pretty new on pfSense mechanisms (I am reading the book also) but the clear net forwardings are working, so I assume I have understood the basic pfSense mechanism.

    In the past, using a Netgear Router (DD-WRT), port forwarding of VPN traffic was managed using iptables commands:

    iptables -I FORWARD -i tun1 -p udp -d destIP –dport port -j ACCEPT
    iptables -I FORWARD -i tun1 -p tcp -d destIP --dport port -j ACCEPT
    iptables -t nat -I PREROUTING -i tun1 -p tcp --dport port -j DNAT --to-destination destIP
    iptables -t nat -I PREROUTING -i tun1 -p udp --dport port -j DNAT --to-destination destIP

    Now my proposed port forwarding set up should be:

    Disabled = [] (unchecked)
    No RDR (NOT) = [
    ] (unchecked)
    Interface = [ AirVPN_WAN ▼]
    Protocol = [ TCP/UDP ▼] (TCP, UDP or TCP/UDP depending on uses)
    Source = [] not (unchecked)
                  Type: [ any ▼]
                  Address: [
    ]/[ 31 ▼](Blank/Greyed out)
    Source port Range = from: [ Any ▼]
                                      to: [ Any ▼]
    Destination = [
    ] Not (UNCHECKED)
                        Type: [ AirVPN_WAN address ▼]
                        Address: [
    _]/[ 31 ▼](Blank/Greyed out)
    Destination port Range = from: [ (other) ▼] [ NOTE *1]
                                              to: [ (other) ▼] [ NOTE *2 ]
    *1: Port, first port of a range or Alias of ports forwarded at AirVPN.org –->5678 in my example above)
    *2: Same port as above or ending port of a range forwarded at AirVPN.org
    Redirect target IP = [ NOTE *3 ]
    *3: IP of target pc/device.
    Redirect target port = [ (other) ▼] [ NOTE *4 ]
    *4: Same port as “Destination port Range = from:” as entered above (Note 1)
    Description = [✎ WHATEVER ]
    No XMLRPC Sync = [
    ] (unchecked)
    NAT reflection = [ Use system default ▼]
    Filter rule association = [ Create new associated rule ▼]

    I also modified the Firewall rule in order not to use the default GW (WAN) but only the AirVPN_WAN GW.

    Well…it is not working.

    Any idea?


  • Netgate

    So what is the topology?

    Did you create an OpenVPN client connection to AIRVPN?

    Do you want to listen for inbound connections on that AIRVPN interface and port-forward those connections to a server on LAN?

    You might have to provide a detailed diagram.



  • Here my home network (pfSense 2.2Beta, 15OCT, based on Supermicro A1SRi-2558, 8GBRAM, 4xI354 NIC):

    All clients connected to VPN interface (192.168.2.0/24 subnet) succesfully connect to AirVPN.

    Yes I would like to listen for incoming connection on AIRVPN interface and port forward to LAN (192.168.2.0/24 subnet).

    VPN Client runs with the custom option: route-nopull.

    For your information, I have working port forwardings redirecting WAN to the clear net interface (192.168.1.0/24 subnet, as showed in my diagram).

    Thanks

    PS
    It seems some other airvpn users are having the same problem: https://forum.pfsense.org/index.php?topic=82937.0


  • Netgate

    So let me upload a diagram and see if I understand the problem.

    Ignore pfSense B and C.

    You want:

    pfSense A to establish a client connection to AIRVPN.

    Create a port forward for incoming connections on pfSense A's AIRVPN address:5678 forwarded to host A2:5678

    Is this correct?




  • @Derelict:

    You want:

    pfSense A to establish a client connection to AIRVPN.

    Create a port forward for incoming connections on pfSense A's AIRVPN address:5678 forwarded to host A2:5678

    Is this correct?

    pfSense already establishes a client connection to AIRVPN servers, it works flawlessly, host A2 accesses internet via AIRVPN.

    Now a need to allow incoming connections on pfSense A's AIRVPN address:5678 forwarded to host A2:5678


  • Netgate

    This is going to take me some time (probably days) to actually mock up.

    Two things I would check:

    You assigned an interface to the AIRVPN ovpncx instance
    Rules on OpenVPN tab don't match traffic in question.

    pfSense 2.1 book section: “NAT with OpenVPN Connections”

    Excerpt From: Jim Pingle. “pfSense-2.1-book.epub.” iBooks. https://itunes.apple.com/WebObjects/MZStore.woa/wa/viewBook?id=3AC70C08837752AA49E641D5CEB871FE



  • Rules on OpenVPN tab don't match traffic in question.

    I have no rules on OpenVPN tab. The only rules are on AIRVPN_WAN tab and VPN tab (VPN is the name of the former interface OPT1) and the others related to WAN and LAN (at this stage DMZ interface, former OPT2, is off) to allow clear-internet and client subnet communication.

    I followed  these steps (brilliantly explained in https://airvpn.org/topic/11245-how-to-set-up-pfsense-21-for-airvpn/ ) :

    1 - I assigned the interface AIRVPN_WAN to ovpnc()
    2 - Created Gateway:

    Interface = [AirVPN_WAN ▼]
    Address Family = [IPv4 ▼]
    Name = [✎ AirVPN_WAN]
    Gateway = [dynamic]
    Default Gateway = [] (UNCHECKED)
    Disable Gateway Monitoring = [
    ]
    Monitor IP = [10.4.0.1]
    Advanced = Unchanged
    Description = [✎ AirVPN_WAN Gateway]

    3 - Created Outbound Nat in order to route all traffic initiated in interface VPN (subnet 192.168.2.0/24) to use gateway AIRVPN_WAN

    D

    o not NAT = [] (unchecked)
    Interface = [ AirVPN_WAN ▼]
    Protocol = [ Any ▼]
    Source = Type: [ Network ▼]
                  Address: [ 192.168.2.0 ] / [ 24 ▼]
                  Source port: [
    ____] (empty/blank)
    Destination: Type = [ Any ▼]
    Translation: Address = [ Interface Address ]
    Description = [ AirVPN_LAN -> AirVPN_WAN ]

    4 - Created some firewall rules to avoid DNS Leak and pass VPN LAN traffic.

    Action = [ Block ▼]
    Disabled = [] Disable this rule (UNCHECKED)
    Interface = [VPN ▼]
    TCP/IP Version = [IPv4 ▼]
    Protocol = [TCP/UDP ▼]
    Source = [
    ] Not    (UNCHECKED)
                  Type: [ Any ▼]
                  Address: [______] (BLANK)
    Destination = [✔] Not    (CHECKED)
                        Type: [ Single host or alias ▼]
                        Address: [10.4.0.1]
    Destination port range = From: [ DNS ▼]
                                          To: [ DNS ▼]
    Log = [✔] (CHECKED)
    Description = [✎ BLOCK_DNS_LEAKS_VPN]
    [ADVANCED FEATURES]  >  GATEWAY = [ AirVPN_WAN ▼]

    –-------------------------------------------------------------------------------------------

    Action = [ Pass ▼]
    Disabled = [] Disable this rule (UNCHECKED)
    Interface = [VPN ▼]
    TCP/IP Version = [IPv4 ▼]
    Protocol = [Any ▼]
    Source = [
    ] Not (UNCHECKED)
                  Type: [ VPN Subnet ▼]
                  Address: [] (BLANK)
    Destination = [
    ] Not (UNCHECKED)
                        Type: [ Any ▼]
                        Address: [
    ] (BLANK)
    Log = [
    ] (UNCHECKED)
    Description = [✎ Allow AirVPN_LAN Outbound]
    [ADVANCED FEATURES]  >  GATEWAY = [ AirVPN_WAN ▼]

    I am a Gold Member, I am already reading the pfSense Book. Please take in consideration I am being using pfSense for 10 days….I have built my own appliance. I am an hobbyist with some skills (I came from several years of openWRT / DD-WRT routers) but totally new on pfSense.

    Thank you very much for your time, I will continue to make my tests and read logs.


  • Netgate

    What are your rules on the AIRVPN_WAN interface?

    What are your rules on the OpenVPN Tab?



  • @Derelict:

    What are your rules on the AIRVPN_WAN interface?

    What are your rules on the OpenVPN Tab?

    Since I cancelled the Port forwardings rules, for both:

    "No rules are currently defined for this interface
    All incoming connections on this interface will be blocked until you add pass rules."

    Now I setup the port forwarding and I report back in minutes



  • Port Forward

    AIRVPN_WAN TCP * * AIRVPN_WAN address 9091 192.168.2.10 9091

    Firewall (AIRVPN_WAN Tab):

    IPv4 TCP * * 192.168.2.10 9091 AIRVPN_WAN none

    Firewall (OpenVPN Tab):

    No rules are currently defined for this interface
    All incoming connections on this interface will be blocked until you add pass rules.

    For info the port forwarding:
    WAN TCP * * WAN address 21000 192.168.1.6 11678

    With firewall rule on WAN tab:
    IPv4 TCP * * 192.168.1.6 11678 * none

    Works.

    The default gateway is WAN (*)


  • Netgate

    Firewall (AIRVPN_WAN Tab):

    IPv4 TCP  *  *  192.168.2.10  9091  AIRVPN_WAN  none

    Try getting rid of that gateway and setting the rule to default.  That's wrong.  That says that traffic received by pfSense in interface AIRVPN_WAN (from AIRVPN) should use AIRVPN_WAN as the gateway.



  • @Derelict:

    Firewall (AIRVPN_WAN Tab):

    IPv4 TCP  *  *  192.168.2.10  9091  AIRVPN_WAN  none

    Try getting rid of that gateway and setting the rule to default.  That's wrong.  That says that traffic received by pfSense in interface AIRVPN_WAN (from AIRVPN) should use AIRVPN_WAN as the gateway.

    OK modification done

    IPv4 TCP/UDP * * 192.168.2.10 9091 * none

    Looking at Firewall log:

    PASS - Oct 16 20:49:08 AIRVPN_WAN USER_RULE NAT Test Trasm (1413477300) 95.211.138.143:36454           192.168.2.10:9091 TCP:S

    PASS - Oct 16 20:48:55 AIRVPN_WAN USER_RULE NAT Test Trasm (1413477300) 95.211.138.143:50755           192.168.2.10:9091 UDP

    BLOCK - Oct 16 20:50:41 VPN Default deny rule IPv4 (1000000101)                          192.168.2.10:9091          95.211.138.143:36454 TCP:SA

    BLOCK - Oct 16 20:49:53 Direction=OUT WAN Default deny rule IPv4 (1000000102)  192.168.2.10:9091     95.211.138.143:36454 TCP:SA

    So the Port forwarding rule is correctly applied but the acknowledgement is blocked.

    TCP:SA is blocked because of the following:

    Outbound NAT

    PASS AIRVPN_WAN 192.168.2.0/24 * * * AIRVPN_WAN address *

    Firewall Rule (VPN Tab)

    BLOCK IPv4 TCP/UDP * * ! 10.4.0.1 53 (DNS) AIRVPN_WAN_GW none
    PASS IPv4 TCP/UDP VPN net * * * AIRVPN_WAN_GW none

    Basically I created my Home Lan in order to allow clients connected to VPN interface to go through AIRVPN Tunnel always, using AIRVPN DNS only.

    I thought TCP:SA was routed via established tunnel as well, automatically.


  • Netgate

    The times on that log snippet don't make a lot of sense.

    PASS - Oct 16 20:49:08  AIRVPN_WAN  USER_RULE NAT Test Trasm (1413477300) 95.211.138.143:36454            192.168.2.10:9091  TCP:S

    PASS - Oct 16 20:48:55  AIRVPN_WAN  USER_RULE NAT Test Trasm (1413477300) 95.211.138.143:50755            192.168.2.10:9091  UDP

    BLOCK - Oct 16 20:50:41  VPN  Default deny rule IPv4 (1000000101)                          192.168.2.10:9091          95.211.138.143:36454  TCP:SA

    BLOCK - Oct 16 20:49:53  Direction=OUT WAN  Default deny rule IPv4 (1000000102)  192.168.2.10:9091      95.211.138.143:36454  TCP:SA

    There's like minutes between the S and SA in that log snippet.

    If you look at Diagnostics->States and filter on 192.168.2.10 or maybe 9091, what states are there when the VPN client is trying to connect inbound on 9091?



  • Here the states:

    AIRVPN_WAN udp 192.168.2.10:9091 (10.4.102.214:9091) <- 95.211.138.143:47494 NO_TRAFFIC:SINGLE

    VPN udp 95.211.138.143:47494 -> 192.168.2.10:9091 SINGLE:NO_TRAFFIC


  • Netgate

    I'm confused now.  Is this TCP or UDP traffic you're trying to forward.  When you tried it that time were there any firewall log hits?



  • @Derelict:

    I'm confused now.  Is this TCP or UDP traffic you're trying to forward.  When you tried it that time were there any firewall log hits?

    Sorry it was midnight in Italy …. and I made some confusion. My goal is to forward both TCP/UDP as suggested by AirVPN. I did that in the past with iptables.

    Back to the problem

    Settings:

    PF

    AIRVPN_WAN  TCP/UDP  *  *  AIRVPN_WAN address  9091  192.168.2.10  9091

    Firewall (AIRVPN_WAN Tab):

    IPv4 TCP/UDP  *  *  192.168.2.10  9091  AIRVPN_WAN  none

    Firewall LOG

    PASS - Oct 16 20:49:08  AIRVPN_WAN  USER_RULE NAT Test Trasm (1413477300) 95.211.138.143:36454            192.168.2.10:9091  TCP:S

    PASS - Oct 16 20:48:55  AIRVPN_WAN  USER_RULE NAT Test Trasm (1413477300) 95.211.138.143:50755            192.168.2.10:9091  UDP

    BLOCK - Oct 16 20:50:41  VPN  Default deny rule IPv4 (1000000101)                          192.168.2.10:9091          95.211.138.143:36454  TCP:SA

    BLOCK - Oct 16 20:49:53  Direction=OUT WAN  Default deny rule IPv4 (1000000102)  192.168.2.10:9091      95.211.138.143:36454  TCP:SA

    State

    AIRVPN_WAN  udp  192.168.2.10:9091 (10.4.102.214:9091) <- 95.211.138.143:47494  NO_TRAFFIC:SINGLE

    VPN  udp  95.211.138.143:47494 -> 192.168.2.10:9091  SINGLE:NO_TRAFFIC



  • Can be releted to that bug: https://redmine.pfsense.org/issues/3760 ?

    I am using 2.2Beta (16OCT)


  • Netgate

    I had no idea This was 2.2.  Sorry.  Can't help with that.  there's a 2.2 feedback and problems thread for 2.2 feedback.  I don't know if it's a problem or if there's something misconfigured but I'm staying away from 2.2  no time.



  • @Derelict:

    I had no idea This was 2.2.  Sorry.  Can't help with that.  there's a 2.2 feedback and problems thread for 2.2 feedback.  I don't know if it's a problem or if there's something misconfigured but I'm staying away from 2.2  no time.

    Thank you for your time.


  • Netgate

    If you refer to the document in https://forum.pfsense.org/index.php?topic=82944.msg454035#msg454035 I created a connection to VPNBOOK on pfSense A and successfully made Host B1 egress to the internet via OpenVPN to pfSense A then out the VPNBOOK connection.  Everything "just worked" as expected.

    Unfortunately, I can't build your specific config because I don't have a VPN provider that will give me a port forward.  I have asked airvpn for a trial account.



  • Should be a simple problem:

    Once I have the remote AirVPN Server NAT ready, I have a real AIRVPN_Public_IP, any hit to AIRVPN_Public_IP:port is NAT'd to the internal AIRVPN_IP:port that traffic should go straight inside the tunnel toward the end point of my pfSense AIRVPN_WAN IP (same as AIRVPN_IP:port).

    Said that my only action in pfSense should be a simple NAT to MyClient_IP:port and let pfSense make the automatic Firewall rule.


  • Netgate

    You're right.  It shound be that simple.  If AIRVPN gives me an account and I can mock it up here, then maybe you can file a bug report if you do the same thing and it doesn't work in 2.2.


  • Netgate

    AIRVPN just sent a 3-day coupon to me.  I don't want to start the clock until I know you still need help with this.  Do you?



  • @Derelict:

    AIRVPN just sent a 3-day coupon to me.  I don't want to start the clock until I know you still need help with this.  Do you?

    Hi Derelict,

    yes I am still not able to make it work, I have started also packet capture and reading output in wireshark.

    Again, I confirm you that port forwarding on clear net side (WAN) is working pretty well.



  • "My VPN provider (AIRVPN) offers port forwarding (also a DDNS service), basically offering their public ip and port to redirecting traffic to AIRVPN servers internal address and then go via tunnel to my clients."

    so  - 1 public IP at the VPN service provider and many potential clients to possibly NAT that 1 port to?

    So what if in the highly unlikely (very likely) event that 10 customers all want port 25?  or 80?  or 443?

    Then what?



  • Each customer of AirVPN has 20 port assigned on random basis, it is impossible that 2 customers share the same port.

    Ref.: https://airvpn.org/faq/port_forwarding/

    BTW that solution has been working for 1 year with my WNDR37000 (openWRT) and R7000 (DD-WRT).

    Now, I think my setup in pfSense is conflicting with the bug still open in 2.2Beta, I am using 2 subnets, one dedicated to VPN only, with its dedicated Gateway.



  • That would do it.  I was just wondering if there would be some sort of first come first served policy for the ports.



  • Are you using manual outbound NAT?



  • @kejianshi:

    Are you using manual outbound NAT?

    Yes.
    2 rule:
    1 to route LAN to WAN
    2 to route VPN (OPT1) to AIRVPN_WAN

    I have also firewall rules consistent with my setup. Everything is working pretty fine, also port forwarding from WAN (clear internet) is working.



  • Lets say just for instance that you have a specific machine on the LAN and you want ALL of its outbound traffic to go out over the VPN.

    You could make that happen with manual outbound NAT.

    So, as a for instance, if traffic that was forwarded from your VPN into pfsense and onto a server on you LAN and you want outbound traffic to exit on the same interface it came in on,  if manual outbound NAT for that machine IP was set to your AIRVPN_WAN instead of your WAN, all the traffic should go out over the VPN.  That rule should be at the top.

    I've done this with pfsense before but not with 2.2 so seems like it should work, but not sure 100%

    If you wish to try, backup your settings first so its easy to go back if you don't like the results.



  • @kejianshi:

    Lets say just for instance that you have a specific machine on the LAN and you want ALL of its outbound traffic to go out over the VPN.

    You could make that happen with manual outbound NAT.

    So, as a for instance, if traffic that was forwarded from your VPN into pfsense and onto a server on you LAN and you want outbound traffic to exit on the same interface it came in on,  if manual outbound NAT for that machine IP was set to your AIRVPN_WAN instead of your WAN, all the traffic should go out over the VPN.  That rule should be at the top.

    I've done this with pfsense before but not with 2.2 so seems like it should work, but not sure 100%

    If you wish to try, backup your settings first so its easy to go back if you don't like the results.

    I use manual outbound NAT and it is working, I know there is a bug in 2.2Beta related to routing with several Gateways.



  • Thats quite a bug…





  • Ok, problem fixed.

    Port Forwarding is working, the problem was definitely that: https://redmine.pfsense.org/issues/3760.

    PS
    Please MOD you can put a big SOLVED in the title!