Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Forward port from openvpn network to LAN

    Scheduled Pinned Locked Moved OpenVPN
    8 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      vleschuk
      last edited by

      Hello, I have the following setup:

      pfsense 2.2.1 working as internet gateway (let's say external ip 1.1.1.1) for a local network (192.168.1.0/24) on vmware ESXi. This pfsense gate has local IP 192.168.1.1. It also acts as openvpn client (openvpn net 10.15.0.0/24, pfsense ip is 10.15.0.2). It connects fine to openvpn network and can access resources on it (tried telnet on different VPN addresses from shell).

      What I want to do: I want forward some ports from openvpn network to local network. So that my LAN clients could access VPN resources through pfsense router.

      For example, I want TCP port 10.15.0.1:8577 to be accessible in my LAN at 192.168.1.1:8577.

      I have created a NAT rule:

      However I still can't even get port 8577 open on my local interface:

      
      [2.2.1-RELEASE][admin@pfSense.localdomain]/root: netstat -nl|grep 8577
      [2.2.1-RELEASE][admin@pfSense.localdomain]/root: 
      
      

      Could you please tell me what am I doing wrong?

      Thanks in advance.

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        You could perhaps clarify what's the real goal of this packet ping-pong instead.

        @vleschuk:

        So that my LAN clients could access VPN resources through pfsense router.

        There's no such NAT mess needed for this. Point the clients at the remote LAN IP. Not at your router!

        https://doc.pfsense.org/index.php/OpenVPN_Site_To_Site
        https://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_(SSL)

        1 Reply Last reply Reply Quote 0
        • V
          vleschuk
          last edited by

          The problem is that I can't set up full-featured side-to-side VPN: I have no access to VPN server, I have only 1 VPN client key. So I need to either share the VPN connection with all my local machines behind the router (tried to do it: allowed all traffic on pfsense to openvpn network, added static routes on LAN machines) - this didn't work out. pfsense wasn't forwarding packets from LAN to openvpn. Now I decided to try just natting required resources from openvpn to LAN.

          1 Reply Last reply Reply Quote 0
          • D
            doktornotor Banned
            last edited by

            As noted above - please describe the real goal you are trying to achieve.

            1 Reply Last reply Reply Quote 0
            • V
              vleschuk
              last edited by

              The real goal is so that machines from LAN (192.168.1.0/24) could access resource at VPN (10.15.0.1:5877) via HTTP.

              1 Reply Last reply Reply Quote 0
              • D
                doktornotor Banned
                last edited by

                Assign the VPN interface (type = none), enable it and do the port-forward/NAT there if needed. Configure firewall rules there to allow traffic.

                1 Reply Last reply Reply Quote 0
                • V
                  vleschuk
                  last edited by

                  That's already done. I assigned interface (through interface -> assign) it got name OPT1, allowed all traffic (from any to any pass) for this interface, set up port forwarding (see screen at the original post). However the port on LAN interface still doesn't open.

                  1 Reply Last reply Reply Quote 0
                  • D
                    doktornotor Banned
                    last edited by

                    No, that's not already done. You are setting up the port-forward on LAN, according to the screenshot. It won't do anything useful there. Also, if you have any rules on OpenVPN tab, remove them.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.