Firewall ignored pass rule for OpenVPN traffic



  • Hello, dear friends. I already broke all my brain :o
    Firewall blocking (with default blocking tcp4 rule) incoming connections from internet to WAN intarface and ignoring pass rule for traffic!
    Pass rule was created with wizard openvpn master first.

    • I try also i created it oneself, no result, traffic blocked, I see it in "Status: System logs: Firewall"
    • I try to change port from 1194 (UDP) to another (with changing firewall pass rule), no result, traffic blocked
    • I try to add from "Status: System logs: Firewall" - "Easy rule: pass this traffic", but it also without result.

    I don't understand absolutely this behavior of a firewall.
    Please, help me, friends.
    PfSense 2.1.5 x64 on phisical host

    93.124. - OpenVPN client adress
    81.200. - WAN port adress
    :23168 - port of OpenVPN Server on PFSense
    ![fw rules.jpg](/public/imported_attachments/1/fw rules.jpg)
    ![fw rules.jpg_thumb](/public/imported_attachments/1/fw rules.jpg_thumb)
    ![fw log block.jpg_thumb](/public/imported_attachments/1/fw log block.jpg_thumb)
    ![fw log block.jpg](/public/imported_attachments/1/fw log block.jpg)
    ![????? ????.jpg](/public/imported_attachments/1/????? ????.jpg)
    ![????? ????.jpg_thumb](/public/imported_attachments/1/????? ????.jpg_thumb)



  • Friends, i solve the problem.
    I renamed a name of an alias who appeared in the outgoinging NAT.  But in NAT rules alias was with old name. It caused absolutely inadequate behavior of a firewall

    Please, report to developers, I think it important bug, wich kill production server.


  • LAYER 8 Global Moderator

    What are you saying caused the problem?  Why would you have alias in outbound NAT?



  • algorithm of emergence of a problem

    • I created an alias with the IP list of addresses
    • included it to outgoing NAT rule
    • rename an alias
    • in the outgoing NAT rule alias remained with an old name and generated bugs
      So, logically, the alias in the rule of outgoing NAT rule had to be renamed automatically and shouldn't have caused bugs.

Log in to reply