[SOLVED] Port Forwarding on VPN interface



  • I have a pfSense virtual machine that's configured to connect to TorGuard VPN. I've port forwarded two ports on TorGuard's website, then added the port forwards into the pfSense box I have installed. I'm using an nginx web server which uses https for the webpages. The issue is that even though these ports are open (I've verified using a port checker website), whenever I browse to my VPN IP and the specified port, I never get displayed a webpage (it always times out, but I've verified that when I shut down the VM hosting the web server, the ports become closed); despite the ports being open. Although I don't think this is a problem, I'd like to state that I'm using a VMware hypervisor to host all of these VMs. Anyways, I did some troubleshooting. I installed another pfSense VM to create a test network, then I also installed another VM with the nginx webserver on it. This test pfSense VM's WAN port connected to my primary router, which connected to my ISP (it had my real IP address). Then I portforwarded the two ports on the test nginx web server on my primary router to the test pfSense VM, then I portforwarded the ports on the test pfSense VM to the nginx web server. Then I tested the ports again using the port checker website, they were up, so then I tried browsing via my public IP and the ports, and the webpage loaded. At that point I ruled out that there's a difference between how my pfSense box connecting to the VPN is setup and how my test pfSense VM is setup. My problem is that I don't know what configuration I'm missing on the VPN pfSense VM. At first I thought it might be the way I had NAT configured, but I'm not firmly grasping the concept of NAT, so I'm not sure if it is or is not my problem. I'd appreciate if someone could provide some insight!

    Edit: Thought it would be a fairly intelligent idea to upload some attachments (sorry for omitting them previously)!











  • You will haven an asymmetric routing issue. The request to your webserver come over VPN, but the response is sent to WAN gateway.

    If your webserver is only accessible over VPN you may set the default route on this server to the Torguard server. address.
    If it should also be accessible over WAN add an outbound NAT rule for the LAN interface in pfSense to translate the source address to LAN address. However, this solution has the disadvantage to see not the real client source IP in webserver logs, but just pfSenses LAN IP.



  • @viragomann:

    You will haven an asymmetric routing issue. The request to your webserver come over VPN, but the response is sent to WAN gateway.

    If your webserver is only accessible over VPN you may set the default route on this server to the Torguard server. address.
    If it should also be accessible over WAN add an outbound NAT rule for the LAN interface in pfSense to translate the source address to LAN address. However, this solution has the disadvantage to see not the real client source IP in webserver logs, but just pfSenses LAN IP.

    So if I set a default route on pfSense to forward the private IP address of my server to the Torguard server, it will fix the issue (I hope I'm understanding)? I don't know how to do that on pfSense, could you please tell me how? Also, I'm not seeing where you see the response of the webserver being sent to the WAN gateway, or I don't know enough about NAT and I'm not seeing what you're seeing. Thanks and sorry for the stupid questions.



  • @excetna:

    Also, I'm not seeing where you see the response of the webserver being sent to the WAN gateway, or I don't know enough about NAT and I'm not seeing what you're seeing.

    The request to your webserver comes over VPN from a public address. So the response from webserver is sent back to this address and public IPs are routed over the default gateway. I assume, this will be the pfSenses LAN IP on your webserver and on pfSense it will be the WAN gateway.

    So you have to add a static default route to your webserver not to pfSense. This route has to point to the VPN tunnel gateway IP. This is mostly the first useable address of the VPN tunnel. You may detect it in Diagnostics > Routes.



  • @viragomann:

    @excetna:

    Also, I'm not seeing where you see the response of the webserver being sent to the WAN gateway, or I don't know enough about NAT and I'm not seeing what you're seeing.

    The request to your webserver comes over VPN from a public address. So the response from webserver is sent back to this address and public IPs are routed over the default gateway. I assume, this will be the pfSenses LAN IP on your webserver and on pfSense it will be the WAN gateway.

    So you have to add a static default route to your webserver not to pfSense. This route has to point to the VPN tunnel gateway IP. This is mostly the first useable address of the VPN tunnel. You may detect it in Diagnostics > Routes.

    I understand your first sentence, I know that my default gateway on pfSense is the Torguard gateway, the webserver does use pfSense's IP (172.16.1.1) as the default gateway. I setup a static route, but I'm not even sure if I did it right. At this point I can't even fathom what I'm doing, partly because I'm a noob. Thanks for your help!






  • @excetna:

    I know that my default gateway on pfSense is the Torguard gateway, the webserver does use pfSense's IP (172.16.1.1) as the default gateway.

    If these two things are given there is no need for a further static route.
    However, if Torguard gateway is your default gateway any traffic from pfSense and the networks behind it goes through VPN. I don't know if this is wanted.

    Though access to your webserver should be possible this way, ins't it?



  • @viragomann:

    @excetna:

    I know that my default gateway on pfSense is the Torguard gateway, the webserver does use pfSense's IP (172.16.1.1) as the default gateway.

    If these two things are given there is no need for a further static route.
    However, if Torguard gateway is your default gateway any traffic from pfSense and the networks behind it goes through VPN. I don't know if this is wanted.

    Though access to your webserver should be possible this way, ins't it?

    I did some digging, and had a friend test the IP address, he was able to get on. So I tried it on my phone, it worked too. Turns out malwarebytes antimalware was blocking it. Sorry for being a flaming idiot, and thanks for your help. I appreciate it.

    To any moderators: this can be archived, deleted, or whatever needs done. The title of this thread isn't accurate of what the issue was.



  • If you back to your first message, you can edit it an add a [SOLVED] to the title for posterity's sake  ;)


Log in to reply