[kwlug-disc] pfSense port forwarding over OpenVPN

L.D. Paniak ldpaniak at fourpisolutions.com
Fri Jan 24 19:44:36 EST 2020 

A couple of questions:

1) Is the site-site connection a tap or tun link?

2) Is the "other" computer on SiteA behind the same NAT as the external
user?

3) How does external user connect to SiteA?

4) Can you send the routing table(s)?

On 1/24/20 2:44 PM, Paul Nijjar via kwlug-disc wrote:
> This is a weird one, but a bunch of you are networking geniuses so I
> am hoping you can help me out. 
>
> I have two sites: SiteA, and SiteB. SiteB has a web server, ServerX.
> SiteA and SiteB are connected via a site-to-site OpenVPN. SiteA and
> SiteB are both running pfSense as their firewall.
>
> I want to do the following: have somebody from the outside world
> connect to SiteA, use a NAT port forward to forward that traffic over
> the OpenVPN link to SiteB, and have that traffic establish a
> connection with ServerX. (Yes, this is ridiculous and upsetting, but
> so is my existence. Bear with me.) 
>
> Here's what works: 
>
> - Traffic goes from the outside world  to SiteA
> - The pfSense rules supposedly allow this traffic to pass over the
>   OpenVPN connection (according to pfSense firewall logs)
> - If another computer is on SiteA then it can connect over the OpenVPN
>   connection to ServerX successfully
>
> Here's what is broken: 
>
> - Despite the pfSense firewall logs saying that traffic is allowed
>   over the OpenVPN connection, a packet inspection on that connection
>   reveals no traffic is going through! Something is dropping the
>   intended packets, and I do not know the culprit.
> - As a result, I can see no traffic on the SiteB pfSense box. 
>
> My guess is that pfSense sees that the port-forwarded  traffic is
> coming from a foreign IP address (not one of the local subnets) and
> rejects the traffic from being relayed over OpenVPN. But I do not know
> where/how in pfSense to confirm this, and I do not know how to fix it. 
>
> Help?
>
> - Paul
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20200124/0c88bef2/attachment.sig>

More information about the kwlug-disc mailing list