Forward port from openvpn network to LAN



  • Hello, I have the following setup:

    pfsense 2.2.1 working as internet gateway (let's say external ip 1.1.1.1) for a local network (192.168.1.0/24) on vmware ESXi. This pfsense gate has local IP 192.168.1.1. It also acts as openvpn client (openvpn net 10.15.0.0/24, pfsense ip is 10.15.0.2). It connects fine to openvpn network and can access resources on it (tried telnet on different VPN addresses from shell).

    What I want to do: I want forward some ports from openvpn network to local network. So that my LAN clients could access VPN resources through pfsense router.

    For example, I want TCP port 10.15.0.1:8577 to be accessible in my LAN at 192.168.1.1:8577.

    I have created a NAT rule:

    However I still can't even get port 8577 open on my local interface:

    
    [2.2.1-RELEASE][admin@pfSense.localdomain]/root: netstat -nl|grep 8577
    [2.2.1-RELEASE][admin@pfSense.localdomain]/root: 
    
    

    Could you please tell me what am I doing wrong?

    Thanks in advance.


  • Banned

    You could perhaps clarify what's the real goal of this packet ping-pong instead.

    @vleschuk:

    So that my LAN clients could access VPN resources through pfsense router.

    There's no such NAT mess needed for this. Point the clients at the remote LAN IP. Not at your router!

    https://doc.pfsense.org/index.php/OpenVPN_Site_To_Site
    https://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_(SSL)



  • The problem is that I can't set up full-featured side-to-side VPN: I have no access to VPN server, I have only 1 VPN client key. So I need to either share the VPN connection with all my local machines behind the router (tried to do it: allowed all traffic on pfsense to openvpn network, added static routes on LAN machines) - this didn't work out. pfsense wasn't forwarding packets from LAN to openvpn. Now I decided to try just natting required resources from openvpn to LAN.


  • Banned

    As noted above - please describe the real goal you are trying to achieve.



  • The real goal is so that machines from LAN (192.168.1.0/24) could access resource at VPN (10.15.0.1:5877) via HTTP.


  • Banned

    Assign the VPN interface (type = none), enable it and do the port-forward/NAT there if needed. Configure firewall rules there to allow traffic.



  • That's already done. I assigned interface (through interface -> assign) it got name OPT1, allowed all traffic (from any to any pass) for this interface, set up port forwarding (see screen at the original post). However the port on LAN interface still doesn't open.


  • Banned

    No, that's not already done. You are setting up the port-forward on LAN, according to the screenshot. It won't do anything useful there. Also, if you have any rules on OpenVPN tab, remove them.