[kwlug-disc] pfSense port forwarding over OpenVPN

bob+kwlug at softscape.ca bob+kwlug at softscape.ca
Tue Feb 4 10:48:54 EST 2020 

LOL!

Doesn't sound like a workaround at all... sounds more like a solution. 

You've lost visibility of the source IP's at the endpoint, but at least you can see them on HAproxy.

BB


> -----Original Message-----
> From: kwlug-disc <kwlug-disc-bounces at kwlug.org> On Behalf Of Paul Nijjar via
> kwlug-disc
> Sent: January 31, 2020 5:31 PM
> To: KWLUG discussion <kwlug-disc at kwlug.org>
> Cc: Paul Nijjar <paul_nijjar at yahoo.ca>
> Subject: Re: [kwlug-disc] pfSense port forwarding over OpenVPN
> 
> 
> I think you are right, but instead of actually solving the problem I
> ended up with a workaround. I used HAProxy to forward all SSL traffic
> from the pfSense on SideA to ServerX. This gave me an IP on the local
> domain, and then routing worked again.
> 
> Ugh. So much for my prospects of becoming a network admin.
> 
> - Paul
> 
> 
> On Mon, Jan 27, 2020 at 02:18:31PM -0500, bob+kwlug at softscape.ca wrote:
> > Paul,
> >
> > The first thing that came to mind is that it is something to do with the
> source IP of the incoming connections and how they are not in scope of the
> L2L VPN tunnel.
> >
> > As a simple confirmation of this, can you try NATing the source IP (ie: the
> IP that came from the Internet) to something that is in range on the local
> network or within the scope of traffic defined for the tunnel? If that works,
> then you can either leave the source NAT in, or you have to redefine the
> scope of the tunnel to include this type of traffic.
> >
> > My $0.02
> >
> > BB
> >
> > > -----Original Message-----
> > > From: kwlug-disc <kwlug-disc-bounces at kwlug.org> On Behalf Of Paul Nijjar
> via
> > > kwlug-disc
> > > Sent: January 24, 2020 2:44 PM
> > > To: kwlug-disc at kwlug.org
> > > Cc: Paul Nijjar <paul_nijjar at yahoo.ca>
> > > Subject: [kwlug-disc] pfSense port forwarding over OpenVPN
> > >
> > > This is a weird one, but a bunch of you are networking geniuses so I
> > > am hoping you can help me out.
> > >
> > > I have two sites: SiteA, and SiteB. SiteB has a web server, ServerX.
> > > SiteA and SiteB are connected via a site-to-site OpenVPN. SiteA and
> > > SiteB are both running pfSense as their firewall.
> > >
> > > I want to do the following: have somebody from the outside world
> > > connect to SiteA, use a NAT port forward to forward that traffic over
> > > the OpenVPN link to SiteB, and have that traffic establish a
> > > connection with ServerX. (Yes, this is ridiculous and upsetting, but
> > > so is my existence. Bear with me.)
> > >
> > > Here's what works:
> > >
> > > - Traffic goes from the outside world  to SiteA
> > > - The pfSense rules supposedly allow this traffic to pass over the
> > >   OpenVPN connection (according to pfSense firewall logs)
> > > - If another computer is on SiteA then it can connect over the OpenVPN
> > >   connection to ServerX successfully
> > >
> > > Here's what is broken:
> > >
> > > - Despite the pfSense firewall logs saying that traffic is allowed
> > >   over the OpenVPN connection, a packet inspection on that connection
> > >   reveals no traffic is going through! Something is dropping the
> > >   intended packets, and I do not know the culprit.
> > > - As a result, I can see no traffic on the SiteB pfSense box.
> > >
> > > My guess is that pfSense sees that the port-forwarded  traffic is
> > > coming from a foreign IP address (not one of the local subnets) and
> > > rejects the traffic from being relayed over OpenVPN. But I do not know
> > > where/how in pfSense to confirm this, and I do not know how to fix it.
> > >
> > > Help?
> > >
> > > - Paul
> > >
> > > --
> > > Get tech event listings: https://off-topic.kwlug.org/watcamp
> > > Blog: http://pnijjar.freeshell.org
> > >
> > > _______________________________________________
> > > kwlug-disc mailing list
> > > kwlug-disc at kwlug.org
> > > https://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
> >
> >
> >
> > _______________________________________________
> > kwlug-disc mailing list
> > kwlug-disc at kwlug.org
> > https://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
> 
> --
> Get tech event listings: https://off-topic.kwlug.org/watcamp
> Blog: http://pnijjar.freeshell.org
> 
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> https://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org

More information about the kwlug-disc mailing list