Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT port forward over VPN

    Scheduled Pinned Locked Moved NAT
    2 Posts 2 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dpedu
      last edited by

      Hey guys!

      I'm trying to forward a port from one pfsense setup to a server on the LAN of another pfsense setup, over a VPN that the two are linked by. I've been following this thread but haven't had much success: https://forum.pfsense.org/index.php?topic=57970.0

      The two sites:

      Far side: (vpn server)
      Public 1.2.3.4
      VPN address: 192.168.230.1

      Near side: (vpn client, and where the destination server is)
      Public 5.6.7.8
      VPN address: 192.168.230.2
      LAN: 192.168.1.0/24

      The port in question is port 222, so the idea is that any tcp connection made to 1.2.3.4:222 eventually gets routed to 192.168.1.200:222, a server on the "Near side".

      I'm able to do this while SSHed into the "Far side" already:

      [2.1.3-RELEASE][admin@myserver.com]/root(26): telnet 192.168.230.2 222
      Trying 192.168.230.2...
      Connected to 192.168.230.2.
      Escape character is '^]'.
      

      So the "Far side" is able to reach the "Near side" over vpn, and the "Near side"'s vpn address is already NATed and port forwarding port 222 to its destination. This is good (?).

      However, when I add a NAT rule and use 192.168.230.2 as the destination, it doesn't work. I've been trying many different firewall rules in addition to what's added just for the NAT, but I can't get it to work. What needs to be done?

      I'm not sure how useful this is, but these are the lines relating to port 222 in /tmp/rules.debug:

      rdr on ovpns1 proto tcp from any to any port 222 -> 192.168.230.2
      pass  in  quick  on $VPN_HOME  $GWVPNGW inet proto tcp  from any to 192.168.230.2 port 222 flags S/SA keep state  label "USER_RULE: Port forward over vpn test
      ```"
      
      $VPN_HOME is the name of the interface that this vpn connection is assigned to (as the thread linked above suggested setting up).
      
      Any ideas would be very appreciated :)
      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Look at the diagram in my sig.  So you want to have connections into pfSense A 172.27.0.5 port forwarded to Host B1?

        I know the OpenVPN instance on pfSense B will need an assigned interface or reply-to will be broken. And rules on pfSense B's OpenVPN tab cannot match the inbound traffic or reply-to will be broken.  Other than that, you just have to make sure the firewall rules on pfSense B's OVPNC1 pass traffic from any (or at least the hosts hitting the port forward) to 172.26.2.100.

        https://forum.pfsense.org/index.php?topic=82732.msg453269#msg453269

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • G gtrdriver referenced this topic on
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.